From: Mike Stepanek (mstepane) Date: Thu, 26 Mar 2020 14:57:55 +0000 (+0000) Subject: Merge pull request #2105 in SNORT/snort3 from ~THOPETER/snort3:nhttp137 to master X-Git-Tag: 3.0.1-1~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=297d9f8e1cafb7a9836ed84471b17131d9ace634;p=thirdparty%2Fsnort3.git Merge pull request #2105 in SNORT/snort3 from ~THOPETER/snort3:nhttp137 to master Squashed commit of the following: commit f813962863f8f35615109ccea129f68499903e00 Author: Tom Peters Date: Tue Mar 24 13:33:49 2020 -0400 http_inspect: eliminate empty body sections for missing message bodies --- diff --git a/src/service_inspectors/http_inspect/http_msg_head_shared.cc b/src/service_inspectors/http_inspect/http_msg_head_shared.cc index 138a5d9be..4a9f1abfa 100644 --- a/src/service_inspectors/http_inspect/http_msg_head_shared.cc +++ b/src/service_inspectors/http_inspect/http_msg_head_shared.cc @@ -86,9 +86,14 @@ void HttpMsgHeadShared::parse_header_block() int32_t bytes_used = 0; num_headers = 0; int32_t num_seps; - // session_data->num_head_lines is computed without consideration of wrapping and may overstate - // actual number of headers. Rely on num_headers which is calculated correctly. + + // The number of header lines in a message may be zero header_line = new Field[session_data->num_head_lines[source_id]]; + + // session_data->num_head_lines is computed by HttpStreamSplitter without consideration of + // wrapping and may occasionally overstate the actual number of headers. That was OK for + // allocating space for the header_line array, but henceforth rely on num_headers which is + // calculated correctly. while (bytes_used < msg_text.length()) { assert(num_headers < session_data->num_head_lines[source_id]); diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc index 702775cdc..1e36d4f33 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc @@ -102,23 +102,16 @@ bool HttpStreamSplitter::finish(Flow* flow) return true; } - // FIXIT-H No longer necessary to send an empty body section because the header section is - // always forwarded to detection. - // If the message has been truncated immediately following the start line or immediately - // following the headers (a body was expected) then we need to process an empty section to - // provide an inspection section. Otherwise the start line and headers won't go through - // detection. - if (((session_data->type_expected[source_id] == SEC_HEADER) || - (session_data->type_expected[source_id] == SEC_BODY_CL) || - (session_data->type_expected[source_id] == SEC_BODY_CHUNK) || - (session_data->type_expected[source_id] == SEC_BODY_OLD)) && + // If the message has been truncated immediately following the start line then we need to + // process an empty header section to provide an inspection section. Otherwise the start line + // won't go through detection. + if ((session_data->type_expected[source_id] == SEC_HEADER) && (session_data->cutter[source_id] == nullptr) && (session_data->section_type[source_id] == SEC__NOT_COMPUTE)) { - // Set up to process empty message section + // Set up to process empty header section uint32_t not_used; - prepare_flush(session_data, ¬_used, session_data->type_expected[source_id], 0, 0, 0, - false, 0, 0); + prepare_flush(session_data, ¬_used, SEC_HEADER, 0, 0, 0, false, 0, 0); return true; }