From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Mon, 25 Jan 2021 14:46:57 +0000 (+0000)
Subject: Merge pull request #2717 in SNORT/snort3 from ~KATHARVE/snort3:hi_scheme_length to... 
X-Git-Tag: 3.1.1.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=066004d55cdbd4e2bf6ab8df25a64ae5b92bb4b0;p=thirdparty%2Fsnort3.git

Merge pull request #2717 in SNORT/snort3 from ~KATHARVE/snort3:hi_scheme_length to master

Squashed commit of the following:

commit 3ba32d1935436a4246e8242302935abb38a92c13
Author: Katura Harvey <katharve@cisco.com>
Date:   Fri Jan 22 10:53:37 2021 -0500

    http_inspect: validate URI scheme length
---

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index b28b03ffe..da5a35830 100755
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -246,6 +246,7 @@ enum Infraction
     INF_HTTP2_IN_HI,
     INF_TRUNCATED_MSG_BODY_CL,
     INF_TRUNCATED_MSG_BODY_CHUNK,
+    INF_LONG_SCHEME,
     INF__MAX_VALUE
 };
 
@@ -372,10 +373,11 @@ enum EventSid
     EVENT_200_CONNECT_RESP_WITH_CL,
     EVENT_200_CONNECT_RESP_WITH_TE,
     EVENT_100_CONNECT_RESP,
-    EVENT_EARLY_CONNECT_RESPONSE,          // 258
+    EVENT_EARLY_CONNECT_RESPONSE,
     EVENT_MALFORMED_CD_FILENAME,
-    EVENT_TRUNCATED_MSG_BODY_CL,
+    EVENT_TRUNCATED_MSG_BODY_CL,           // 260
     EVENT_TRUNCATED_MSG_BODY_CHUNK,
+    EVENT_LONG_SCHEME,                     // 262
     EVENT__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc
index 475050961..e437fb672 100644
--- a/src/service_inspectors/http_inspect/http_msg_request.cc
+++ b/src/service_inspectors/http_inspect/http_msg_request.cc
@@ -255,6 +255,12 @@ void HttpMsgRequest::gen_events()
     if (method_id == METH__OTHER)
         create_event(EVENT_UNKNOWN_METHOD);
 
+    if (uri && uri->get_scheme().length() > LONG_SCHEME_LENGTH)
+    {
+        create_event(EVENT_LONG_SCHEME);
+        add_infraction(INF_LONG_SCHEME);
+    }
+
     if (session_data->zero_nine_expected != 0)
     {
         // Previous 0.9 request on this connection should have been the last request message
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index 7b95fb0a5..32c2c5597 100755
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -406,6 +406,7 @@ const RuleMap HttpModule::http_events[] =
     { EVENT_MALFORMED_CD_FILENAME,      "malformed HTTP Content-Disposition filename parameter" },
     { EVENT_TRUNCATED_MSG_BODY_CL,      "HTTP Content-Length message body was truncated" },
     { EVENT_TRUNCATED_MSG_BODY_CHUNK,   "HTTP chunked message body was truncated" },
+    { EVENT_LONG_SCHEME,                "HTTP URI scheme longer than 10 characters" },
     { 0, nullptr }
 };
 
diff --git a/src/service_inspectors/http_inspect/http_uri.cc b/src/service_inspectors/http_inspect/http_uri.cc
index 22a6ca454..2a6b690c8 100644
--- a/src/service_inspectors/http_inspect/http_uri.cc
+++ b/src/service_inspectors/http_inspect/http_uri.cc
@@ -69,10 +69,11 @@ void HttpUri::parse_uri()
             j++);
         for (k = j+3; (k < uri.length()) && (uri.start()[k] != '/'); k++);
 
-        // Verify that 1) we found ://, 2) we found /, 3) scheme begins with a letter, and
-        // 4) scheme consists of legal characters (RFC 3986 3.1)
+        // Verify that 1) we found ://, 2) we found /, 3) scheme begins with a letter,
+        // 4) scheme consists of legal characters (RFC 3986 3.1) and 5) scheme is no more than 36
+        // characters in length
         if ((k < uri.length()) && (uri.start()[j] == ':') && (uri.start()[j+1] == '/') &&
-            (uri.start()[j+2] == '/') && (uri.start()[0] >= 'A'))
+            (uri.start()[j+2] == '/') && (uri.start()[0] >= 'A') && j <= MAX_SCHEME_LENGTH)
         {
             uri_type = URI_ABSOLUTE;
             scheme.set(j, uri.start());
diff --git a/src/service_inspectors/http_inspect/http_uri.h b/src/service_inspectors/http_inspect/http_uri.h
index 4e782edd6..35b9dab1e 100644
--- a/src/service_inspectors/http_inspect/http_uri.h
+++ b/src/service_inspectors/http_inspect/http_uri.h
@@ -26,6 +26,9 @@
 #include "http_field.h"
 #include "http_event.h"
 
+static const int MAX_SCHEME_LENGTH = 36; // schemes longer than 36 characters are malformed
+static const int LONG_SCHEME_LENGTH = 10; // schemes longer than 10 characters will alert
+
 //-------------------------------------------------------------------------
 // HttpUri class
 //-------------------------------------------------------------------------