From: Victor Julien <victor@inliniac.net>
Date: Fri, 10 Feb 2012 13:28:50 +0000 (+0100)
Subject: Support FNAME and FCOMMENT extensions in gzip'd http content.
X-Git-Tag: suricata-1.3beta2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40cda7e14942f999d6aeda62b0c90040224f900f;p=thirdparty%2Fsuricata.git

Support FNAME and FCOMMENT extensions in gzip'd http content.
---

diff --git a/libhtp/htp/htp_decompressors.c b/libhtp/htp/htp_decompressors.c
index bf206867a2..173bfc6c7d 100644
--- a/libhtp/htp/htp_decompressors.c
+++ b/libhtp/htp/htp_decompressors.c
@@ -41,15 +41,27 @@ static int htp_gzip_decompressor_decompress(htp_decompressor_gzip_t *drec, htp_t
                 return -1;
             }
 
-            if (d->data[3] != 0) {
+            if (d->data[3] == 0) {
+                drec->initialized = 1;
+                consumed = 10;
+            } else if (d->data[3] & (1 << 3) || d->data[3] & (1 << 4)) {
+                /* skip past
+                 * - FNAME extension, which is a name ended in a NUL terminator
+                 * or
+                 * - FCOMMENT extension, which is a commend ended in a NULL terminator
+                 */
+
+                size_t len;
+                for (len = 10; len < d->len && d->data[len] != '\0'; len++);
+
+                drec->initialized = 1;
+                consumed = len + 1;
+            } else {
                 htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0,
                     "GZip decompressor: Unable to handle flags: %d", d->data[3]);
                 drec->initialized = -1;
                 return -1;
             }
-
-            drec->initialized = 1;
-            consumed = 10;
         } else {
             // We do not (or did not) have enough bytes, so we have
             // to copy some data into our internal header buffer.