From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Thu, 30 Sep 2021 20:12:58 +0000 (+0000)
Subject: Merge pull request #3078 in SNORT/snort3 from ~MDAGON/snort3:abort to master
X-Git-Tag: 3.1.14.0~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fdaebb2c70ab883c7edf719558650a94ee180c0;p=thirdparty%2Fsnort3.git

Merge pull request #3078 in SNORT/snort3 from ~MDAGON/snort3:abort to master

Squashed commit of the following:

commit 5feb849b9a5669339c082f9ab0197c7453163fb8
Author: Maya Dagon <mdagon@cisco.com>
Date:   Fri Sep 24 13:59:54 2021 -0400

    http2_inspect: protect against reassemble with more than MAX_OCTETS
---

diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc
index 5473ddbcf..408735ad9 100644
--- a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc
+++ b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc
@@ -116,17 +116,21 @@ const StreamBuffer Http2StreamSplitter::reassemble(Flow* flow, unsigned total, u
     Profile profile(Http2Module::get_profile_stats());
 
     copied = len;
+    StreamBuffer frame_buf { nullptr, 0 };
 
     Http2FlowData* session_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
-    assert(session_data != nullptr);
+    if (session_data == nullptr)
+    {
+        assert(false);
+        return frame_buf;
+    }
 
 #ifdef REG_TEST
     if (HttpTestManager::use_test_input(HttpTestManager::IN_HTTP2))
     {
-        StreamBuffer http_buf { nullptr, 0 };
         if (!(flags & PKT_PDU_TAIL))
         {
-            return http_buf;
+            return frame_buf;
         }
         bool tcp_close;
         uint8_t* test_buffer;
@@ -140,19 +144,22 @@ const StreamBuffer Http2StreamSplitter::reassemble(Flow* flow, unsigned total, u
         {
             // Source ID does not match test data, no test data was flushed, preparing for a TCP
             // connection close, or there is no more test data
-            return http_buf;
+            return frame_buf;
         }
         data = test_buffer;
     }
 #endif
 
-    assert(!session_data->abort_flow[source_id]);
+    if (session_data->abort_flow[source_id])
+    {
+        assert(false);
+        return frame_buf;
+    }
 
     // FIXIT-P: scan uses this to discard bytes until StreamSplitter:DISCARD
     // is implemented
     if (session_data->payload_discard[source_id])
     {
-        StreamBuffer frame_buf { nullptr, 0 };
         if (flags & PKT_PDU_TAIL)
             session_data->payload_discard[source_id] = false;
 
diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
index 425147d46..6175dab86 100644
--- a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
+++ b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
@@ -383,11 +383,16 @@ const StreamBuffer Http2StreamSplitter::implement_reassemble(Http2FlowData* sess
     unsigned total, unsigned offset, const uint8_t* data, unsigned len, uint32_t flags,
     HttpCommon::SourceId source_id)
 {
-    assert(offset+len <= total);
-    assert(total <= MAX_OCTETS);
 
     StreamBuffer frame_buf { nullptr, 0 };
 
+    if ( total > MAX_OCTETS || offset+len > total)
+    {
+         assert(false);
+         session_data->abort_flow[source_id] = true;
+         return frame_buf;
+    }
+
     if (session_data->frame_type[source_id] == FT_DATA)
     {
         if (len != 0)