From: Victor Julien <victor@inliniac.net>
Date: Thu, 6 Aug 2020 18:49:56 +0000 (+0200)
Subject: detect/http2: fix header inspection
X-Git-Tag: suricata-6.0.0-beta1~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4aa80ac7f684bcc7fc357499bc4af7bfe1b38c71;p=thirdparty%2Fsuricata.git

detect/http2: fix header inspection

Header inspection was overwriting data that was still being
referenced by the detect engine, leading to ASAN issues.
---

diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs
index 28f100ddf5..f2ff45ebbb 100644
--- a/rust/src/http2/detect.rs
+++ b/rust/src/http2/detect.rs
@@ -507,8 +507,10 @@ pub unsafe extern "C" fn rs_http2_tx_get_header(
             match &tx.frames_ts[i].data {
                 HTTP2FrameTypeData::HEADERS(hd) => {
                     if nb < pos + hd.blocks.len() as u32 {
-                        tx.escaped_tmp = http2_escape_header(&hd, nb - pos);
-                        let value = &tx.escaped_tmp;
+                        let ehdr = http2_escape_header(&hd, nb - pos);
+                        tx.escaped.push(ehdr);
+                        let idx = tx.escaped.len() - 1;
+                        let value = &tx.escaped[idx];
                         *buffer = value.as_ptr(); //unsafe
                         *buffer_len = value.len() as u32;
                         return 1;
@@ -524,8 +526,10 @@ pub unsafe extern "C" fn rs_http2_tx_get_header(
             match &tx.frames_tc[i].data {
                 HTTP2FrameTypeData::HEADERS(hd) => {
                     if nb < pos + hd.blocks.len() as u32 {
-                        tx.escaped_tmp = http2_escape_header(&hd, nb - pos);
-                        let value = &tx.escaped_tmp;
+                        let ehdr = http2_escape_header(&hd, nb - pos);
+                        tx.escaped.push(ehdr);
+                        let idx = tx.escaped.len() - 1;
+                        let value = &tx.escaped[idx];
                         *buffer = value.as_ptr(); //unsafe
                         *buffer_len = value.len() as u32;
                         return 1;
diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
index 3bf4893d5a..f85a9fda3d 100644
--- a/rust/src/http2/http2.rs
+++ b/rust/src/http2/http2.rs
@@ -131,7 +131,7 @@ pub struct HTTP2Transaction {
 
     //temporary escaped header for detection
     //must be attached to transaction for memory management (be freed at the right time)
-    pub escaped_tmp: Vec<u8>,
+    pub escaped: Vec<Vec<u8>>,
 }
 
 impl HTTP2Transaction {
@@ -147,7 +147,7 @@ impl HTTP2Transaction {
             events: std::ptr::null_mut(),
             tx_data: AppLayerTxData::new(),
             ft: FileTransferTracker::new(),
-            escaped_tmp: Vec::new(),
+            escaped: Vec::with_capacity(16),
         }
     }