From: Adrian Mamolea (admamole) <admamole@cisco.com>
Date: Mon, 11 Sep 2023 14:54:09 +0000 (+0000)
Subject: Pull request #3991: http2_inspect: fix http2 frame length for logging
X-Git-Tag: 3.1.71.0~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30f5938f0e6ab63ae2b9a5fe71b1d584ea28a7fb;p=thirdparty%2Fsnort3.git

Pull request #3991: http2_inspect: fix http2 frame length for logging

Merge in SNORT/snort3 from ~ADMAMOLE/snort3:fix_len to master

Squashed commit of the following:

commit fede0d17affda64ac54930a0f9c605ad5e1d7ef5
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Fri Sep 8 11:14:28 2023 -0400

    http2_inspect: fix http2 frame length for logging
---

diff --git a/src/service_inspectors/http2_inspect/http2_frame.cc b/src/service_inspectors/http2_inspect/http2_frame.cc
index 813a27316..227148137 100644
--- a/src/service_inspectors/http2_inspect/http2_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_frame.cc
@@ -171,6 +171,11 @@ const uint8_t* Http2Frame::get_frame_pdu(uint16_t& length) const
     memcpy(pdu, header.start(), hlen);
     if (dlen)
         memcpy(&pdu[hlen], data, dlen);
+
+    pdu[0] = (dlen >> 16) & 0xff;
+    pdu[1] = (dlen >> 8) & 0xff;
+    pdu[2] = dlen & 0xff;
+
     return pdu;
 }
 
diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc
index feed041f1..46e1f5fad 100644
--- a/src/service_inspectors/http2_inspect/http2_inspect.cc
+++ b/src/service_inspectors/http2_inspect/http2_inspect.cc
@@ -215,7 +215,7 @@ static void print_flow_issues(FILE* output, Http2Infractions* const infractions,
 }
 #endif
 
-const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
+static const uint8_t* get_frame_pdu(Packet* p, uint16_t& length)
 {
     auto* const session_data = (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
     if (!session_data)
@@ -231,3 +231,21 @@ const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
 
     return frame->get_frame_pdu(length);
 }
+
+const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
+{
+    const uint8_t* pdu = get_frame_pdu(p, length);
+    if (pdu or !p->has_parent())
+        return pdu;
+
+    // for rebuilt packet w/o frame fall back to wire packet
+    Packet* wire_packet = DetectionEngine::get_current_wire_packet();
+    if (!wire_packet or !wire_packet->data or !wire_packet->dsize)
+        return nullptr;
+
+    uint8_t* wire_pdu = new uint8_t[wire_packet->dsize];
+    memcpy(wire_pdu, wire_packet->data, wire_packet->dsize);
+    length = wire_packet->dsize;
+
+    return wire_pdu;
+}