Merge pull request #1172 in SNORT/snort3 from nhttp99 to master

author Tom Peters (thopeter) <thopeter@cisco.com>

Mon, 2 Apr 2018 19:11:31 +0000 (15:11 -0400)

committer Tom Peters (thopeter) <thopeter@cisco.com>

Mon, 2 Apr 2018 19:11:31 +0000 (15:11 -0400)
author Tom Peters (thopeter) <thopeter@cisco.com>
Mon, 2 Apr 2018 19:11:31 +0000 (15:11 -0400)
committer Tom Peters (thopeter) <thopeter@cisco.com>
Mon, 2 Apr 2018 19:11:31 +0000 (15:11 -0400)
diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h

index b21f4232e85af4e48d19191dd896f719e4f5258b..e4622c2c659b3376e36cffdb6bba1eb499ba58b8 100644 (file)
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -345,6 +345,7 @@ enum EventSid
      EVENT_206_WITHOUT_RANGE,
      EVENT_VERSION_NOT_UPPERCASE,
      EVENT_BAD_HEADER_WHITESPACE,
+    EVENT_GZIP_EARLY_END,                  // 99
      EVENT__MAX_VALUE
  };
  
diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc

index e5cbca2bc3f8ee3d5cd238fd89d9ad6f979b661f..30480a349337a41ea5eb3d0f314dd0193d450d80 100644 (file)
--- a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc
@@ -159,11 +159,11 @@ void HttpStreamSplitter::decompress_copy(uint8_t* buffer, uint32_t& offset, cons
                  {
                      // The zipped data stream ended but there is more input data
                      *infractions += INF_GZIP_EARLY_END;
-                    events->create_event(EVENT_GZIP_FAILURE);
+                    events->create_event(EVENT_GZIP_EARLY_END);
                      const uInt num_copy =
                          (compress_stream->avail_in <= compress_stream->avail_out) ?
                          compress_stream->avail_in : compress_stream->avail_out;
-                    memcpy(buffer + offset, data, num_copy);
+                    memcpy(buffer + offset, data + (length - compress_stream->avail_in), num_copy);
                      offset += num_copy;
                  }
                  else
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc

index 71c3385eb54770982d9e9d6e37fdb124a826798d..0273ffcac527f7c2dd3363976a2b5145a3616072 100644 (file)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -381,6 +381,8 @@ const snort::RuleMap HttpModule::http_events[] =
      { EVENT_206_WITHOUT_RANGE,          "206 response sent to a request without a Range header" },
      { EVENT_VERSION_NOT_UPPERCASE,      "'HTTP' in version field not all upper case" },
      { EVENT_BAD_HEADER_WHITESPACE,      "white space embedded in critical header value" },
+    { EVENT_GZIP_EARLY_END,             "gzip compressed data followed by unexpected non-gzip "
+                                        "data" },
      { 0, nullptr }
  };
author	Tom Peters (thopeter) <thopeter@cisco.com>
	Mon, 2 Apr 2018 19:11:31 +0000 (15:11 -0400)
committer	Tom Peters (thopeter) <thopeter@cisco.com>
	Mon, 2 Apr 2018 19:11:31 +0000 (15:11 -0400)
src/service_inspectors/http_inspect/http_enum.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_tables.cc		patch \| blob \| blame \| history