From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Wed, 24 Mar 2021 17:29:48 +0000 (+0000)
Subject: Merge pull request #2799 in SNORT/snort3 from ~NIHDESAI/snort3:h2_uppercase_check... 
X-Git-Tag: 3.1.3.0~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=516b36c3a3e4074e557662f6abd8faadc1edcde5;p=thirdparty%2Fsnort3.git

Merge pull request #2799 in SNORT/snort3 from ~NIHDESAI/snort3:h2_uppercase_check to master

Squashed commit of the following:

commit a0a75674bd8dd314db8551a187375ab5fbb3bc50
Author: Nihal Desai <nihdesai@cisco.com>
Date:   Fri Mar 12 01:28:56 2021 -0500

    http2_inspect: alert on uppercase header name encoded in HPACK
---

diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h
index 0757095d4..ec875c80d 100644
--- a/src/service_inspectors/http2_inspect/http2_enum.h
+++ b/src/service_inspectors/http2_inspect/http2_enum.h
@@ -84,6 +84,7 @@ enum EventSid
     EVENT_TOO_MANY_STREAMS = 27,
     EVENT_INVALID_RST_STREAM_FRAME = 28,
     EVENT_BAD_RST_STREAM_SEQUENCE = 29,
+    EVENT_HEADER_UPPERCASE = 30,
     EVENT__MAX_VALUE
 };
 
@@ -136,6 +137,7 @@ enum Infraction
     INF_TOO_MANY_STREAMS = 42,
     INF_INVALID_RST_STREAM_FRAME = 43,
     INF_BAD_RST_STREAM_SEQUENCE = 44,
+    INF_HEADER_UPPERCASE = 45,
     INF__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http2_inspect/http2_hpack.cc b/src/service_inspectors/http2_inspect/http2_hpack.cc
index 5f15828a9..465dea175 100644
--- a/src/service_inspectors/http2_inspect/http2_hpack.cc
+++ b/src/service_inspectors/http2_inspect/http2_hpack.cc
@@ -149,6 +149,17 @@ bool Http2HpackDecoder::decode_literal_header_line(const uint8_t* encoded_header
                 bytes_consumed, partial_bytes_consumed, decoded_header_buffer,
                 decoded_header_length, partial_bytes_written, name))
             return false;
+
+        const uint8_t* buff = name.start();
+        for (int i = 0; i < name.length(); i++)
+        {
+            if (buff[i] >= 'A' and buff[i] <= 'Z')
+            {
+                *infractions += INF_HEADER_UPPERCASE;
+                events->create_event(EVENT_HEADER_UPPERCASE);
+                break;
+            }
+        }
     }
     bytes_consumed += partial_bytes_consumed;
     bytes_written += partial_bytes_written;
diff --git a/src/service_inspectors/http2_inspect/http2_tables.cc b/src/service_inspectors/http2_inspect/http2_tables.cc
index 1ab80e7ef..947b89ff6 100644
--- a/src/service_inspectors/http2_inspect/http2_tables.cc
+++ b/src/service_inspectors/http2_inspect/http2_tables.cc
@@ -60,6 +60,7 @@ const RuleMap Http2Module::http2_events[] =
     { EVENT_TOO_MANY_STREAMS, "excessive concurrent HTTP/2 streams" },
     { EVENT_INVALID_RST_STREAM_FRAME, "invalid HTTP/2 rst stream frame" },
     { EVENT_BAD_RST_STREAM_SEQUENCE, "HTTP/2 rst stream frame sent at invalid time" },
+    { EVENT_HEADER_UPPERCASE, "uppercase HTTP/2 header field name" },
     { 0, nullptr }
 };