From: Tom Peters (thopeter) Date: Tue, 27 Apr 2021 20:54:52 +0000 (+0000) Subject: Merge pull request #2852 in SNORT/snort3 from ~MDAGON/snort3:stream_limit to master X-Git-Tag: 3.1.5.0~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=61b8467928d04c28afb79da862776e0548291482;p=thirdparty%2Fsnort3.git Merge pull request #2852 in SNORT/snort3 from ~MDAGON/snort3:stream_limit to master Squashed commit of the following: commit 68169e41ce122a7368f076755edf7c1dc854d789 Author: Maya Dagon Date: Fri Apr 16 16:39:05 2021 -0400 http2_inspect: concurrent streams limit is configurable --- diff --git a/src/payload_injector/payload_injector_translate_page.cc b/src/payload_injector/payload_injector_translate_page.cc index f206a7d21..9f4ae05c6 100644 --- a/src/payload_injector/payload_injector_translate_page.cc +++ b/src/payload_injector/payload_injector_translate_page.cc @@ -292,7 +292,7 @@ InjectionReturnStatus PayloadInjector::get_http2_payload(InjectionControl contro memcpy(http2_payload_cur, empty_settings_frame, sizeof(empty_settings_frame)); http2_payload_cur += sizeof(empty_settings_frame); } - write_frame_hdr(http2_payload_cur, hdr_len, FT_HEADERS, END_HEADERS, control.stream_id); + write_frame_hdr(http2_payload_cur, hdr_len, FT_HEADERS, FLAG_END_HEADERS, control.stream_id); memcpy(http2_payload_cur, http2_hdr, hdr_len); http2_payload_cur += hdr_len; const uint8_t* http_body_cur = control.http_page + body_offset; @@ -300,7 +300,7 @@ InjectionReturnStatus PayloadInjector::get_http2_payload(InjectionControl contro { const uint32_t cur_len = (body_len > 1<<14) ? 1<<14 : body_len; body_len -= cur_len; - const uint8_t flags = (body_len == 0) ? END_STREAM : 0; + const uint8_t flags = (body_len == 0) ? FLAG_END_STREAM : 0; write_frame_hdr(http2_payload_cur, cur_len, FT_DATA, flags, control.stream_id); memcpy(http2_payload_cur, http_body_cur, cur_len); http2_payload_cur += cur_len; diff --git a/src/service_inspectors/http2_inspect/http2_data_cutter.cc b/src/service_inspectors/http2_inspect/http2_data_cutter.cc index bd04cadc1..6bba5d79e 100644 --- a/src/service_inspectors/http2_inspect/http2_data_cutter.cc +++ b/src/service_inspectors/http2_inspect/http2_data_cutter.cc @@ -48,7 +48,7 @@ StreamSplitter::Status Http2DataCutter::scan(const uint8_t* data, uint32_t lengt session_data->padding_length[source_id]; data_bytes_read = 0; - if (frame_flags & PADDED) + if (frame_flags & FLAG_PADDED) { data_len -= 1; frame_bytes_seen += 1; @@ -75,7 +75,7 @@ StreamSplitter::Status Http2DataCutter::scan(const uint8_t* data, uint32_t lengt Http2DummyPacket dummy_pkt; dummy_pkt.flow = session_data->flow; uint32_t unused = 0; - if ((data_bytes_read == data_len) && (frame_flags & END_STREAM)) + if ((data_bytes_read == data_len) && (frame_flags & FLAG_END_STREAM)) { Http2Stream* const stream = session_data->find_stream(session_data->current_stream[source_id]); @@ -110,7 +110,7 @@ StreamSplitter::Status Http2DataCutter::scan(const uint8_t* data, uint32_t lengt session_data->scan_state[source_id] = SCAN_FRAME_HEADER; frame_bytes_seen = 0; - if (frame_flags & END_STREAM) + if (frame_flags & FLAG_END_STREAM) { Http2Stream* const stream = session_data->find_stream( session_data->current_stream[source_id]); @@ -171,13 +171,13 @@ void Http2DataCutter::reassemble(const uint8_t* data, unsigned len) const uint8_t frame_flags = get_frame_flags(session_data->lead_frame_header[source_id]); cur_data_offset = cur_pos; - if (frame_flags & PADDED) + if (frame_flags & FLAG_PADDED) reassemble_state = GET_PADDING_LEN; else if (reassemble_data_len > 0) reassemble_state = SEND_DATA; else { - assert(frame_flags & END_STREAM); + assert(frame_flags & FLAG_END_STREAM); reassemble_state = SEND_EMPTY_DATA; } } @@ -193,7 +193,7 @@ void Http2DataCutter::reassemble(const uint8_t* data, unsigned len) reassemble_state = SEND_DATA; else { - assert(get_frame_flags(session_data->lead_frame_header[source_id]) & END_STREAM); + assert(get_frame_flags(session_data->lead_frame_header[source_id]) & FLAG_END_STREAM); reassemble_state = SEND_EMPTY_DATA; } break; diff --git a/src/service_inspectors/http2_inspect/http2_data_frame.cc b/src/service_inspectors/http2_inspect/http2_data_frame.cc index 0307cdc5a..3c6351a42 100644 --- a/src/service_inspectors/http2_inspect/http2_data_frame.cc +++ b/src/service_inspectors/http2_inspect/http2_data_frame.cc @@ -105,7 +105,7 @@ void Http2DataFrame::update_stream_state() } } -uint8_t Http2DataFrame::get_flags_mask() const { return (END_STREAM|PADDED); } +uint8_t Http2DataFrame::get_flags_mask() const { return (FLAG_END_STREAM|FLAG_PADDED); } #ifdef REG_TEST void Http2DataFrame::print_frame(FILE* output) diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h index d3d525c9e..2596e8565 100644 --- a/src/service_inspectors/http2_inspect/http2_enum.h +++ b/src/service_inspectors/http2_inspect/http2_enum.h @@ -28,7 +28,6 @@ static const int MAX_OCTETS = 63780; static const int DATA_SECTION_SIZE = 16384; static const int FRAME_HEADER_LENGTH = 9; static const uint32_t NO_STREAM_ID = 0xFFFFFFFF; -static const uint32_t CONCURRENT_STREAMS_LIMIT = 100; // Perform memory allocation and deallocation tracking for Http2Stream objects in increments of 25 static const uint32_t STREAM_MEMORY_TRACKING_INCREMENT = 25; @@ -146,22 +145,22 @@ enum Infraction enum HeaderFrameFlags { - ACK = 0x1, - END_STREAM = 0x1, - END_HEADERS = 0x4, - PADDED = 0x8, - PRIORITY = 0x20, - NO_HEADER = 0x80, //No valid flags use this bit + FLAG_ACK = 0x1, + FLAG_END_STREAM = 0x1, + FLAG_END_HEADERS = 0x4, + FLAG_PADDED = 0x8, + FLAG_PRIORITY = 0x20, + FLAG_NO_HEADER = 0x80, //No valid flags use this bit }; enum SettingsFrameIds { - HEADER_TABLE_SIZE = 1, - ENABLE_PUSH, - MAX_CONCURRENT_STREAMS, - INITIAL_WINDOW_SIZE, - MAX_FRAME_SIZE, - MAX_HEADER_LIST_SIZE, + SFID_HEADER_TABLE_SIZE = 1, + SFID_ENABLE_PUSH, + SFID_MAX_CONCURRENT_STREAMS, + SFID_INITIAL_WINDOW_SIZE, + SFID_MAX_FRAME_SIZE, + SFID_MAX_HEADER_LIST_SIZE, }; enum ScanState { SCAN_FRAME_HEADER, SCAN_PADDING_LENGTH, SCAN_DATA, SCAN_EMPTY_DATA }; diff --git a/src/service_inspectors/http2_inspect/http2_flow_data.cc b/src/service_inspectors/http2_inspect/http2_flow_data.cc index 6dc60a2d6..c9264b344 100644 --- a/src/service_inspectors/http2_inspect/http2_flow_data.cc +++ b/src/service_inspectors/http2_inspect/http2_flow_data.cc @@ -155,12 +155,13 @@ Http2Stream* Http2FlowData::find_stream(const uint32_t key) const return nullptr; } -Http2Stream* Http2FlowData::get_stream(const uint32_t key, const SourceId source_id) +Http2Stream* Http2FlowData::get_processing_stream(const SourceId source_id, uint32_t concurrent_streams_limit) { + const uint32_t key = processing_stream_id; class Http2Stream* stream = find_stream(key); if (!stream) { - if (concurrent_streams >= CONCURRENT_STREAMS_LIMIT) + if (concurrent_streams >= concurrent_streams_limit) { *infractions[source_id] += INF_TOO_MANY_STREAMS; events[source_id]->create_event(EVENT_TOO_MANY_STREAMS); @@ -253,11 +254,6 @@ Http2Stream* Http2FlowData::find_processing_stream() const return find_stream(get_processing_stream_id()); } -Http2Stream* Http2FlowData::get_processing_stream(const SourceId source_id) -{ - return get_stream(get_processing_stream_id(), source_id); -} - uint32_t Http2FlowData::get_processing_stream_id() const { return processing_stream_id; diff --git a/src/service_inspectors/http2_inspect/http2_flow_data.h b/src/service_inspectors/http2_inspect/http2_flow_data.h index f37ae3461..cb53000cb 100644 --- a/src/service_inspectors/http2_inspect/http2_flow_data.h +++ b/src/service_inspectors/http2_inspect/http2_flow_data.h @@ -87,7 +87,7 @@ public: Http2Stream* find_current_stream(const HttpCommon::SourceId source_id) const; uint32_t get_current_stream_id(const HttpCommon::SourceId source_id) const; - Http2Stream* get_processing_stream(const HttpCommon::SourceId source_id); + Http2Stream* get_processing_stream(const HttpCommon::SourceId source_id, uint32_t concurrent_streams_limit); Http2Stream* find_processing_stream() const; uint32_t get_processing_stream_id() const; void set_processing_stream_id(const HttpCommon::SourceId source_id); @@ -197,7 +197,6 @@ protected: #endif private: - Http2Stream* get_stream(const uint32_t key, const HttpCommon::SourceId source_id); Http2Stream* get_hi_stream() const; Http2Stream* find_stream(const uint32_t key) const; void delete_processing_stream(); diff --git a/src/service_inspectors/http2_inspect/http2_headers_frame.cc b/src/service_inspectors/http2_inspect/http2_headers_frame.cc index 822c4bc93..2de30bf67 100644 --- a/src/service_inspectors/http2_inspect/http2_headers_frame.cc +++ b/src/service_inspectors/http2_inspect/http2_headers_frame.cc @@ -46,7 +46,7 @@ Http2HeadersFrame::Http2HeadersFrame(const uint8_t* header_buffer, const uint32_ Http2Frame(header_buffer, header_len, data_buffer, data_len, session_data_, source_id_, stream_) { // Remove stream dependency if present - if (get_flags() & PRIORITY) + if (get_flags() & FLAG_PRIORITY) hpack_headers_offset = 5; // Set up HPACK decoding @@ -152,7 +152,7 @@ const Field& Http2HeadersFrame::get_buf(unsigned id) } uint8_t Http2HeadersFrame::get_flags_mask() const -{ return (END_STREAM|END_HEADERS|PADDED|PRIORITY); } +{ return (FLAG_END_STREAM|FLAG_END_HEADERS|FLAG_PADDED|FLAG_PRIORITY); } #ifdef REG_TEST void Http2HeadersFrame::print_frame(FILE* output) diff --git a/src/service_inspectors/http2_inspect/http2_headers_frame_header.cc b/src/service_inspectors/http2_inspect/http2_headers_frame_header.cc index d065d2df3..93aa15dcc 100644 --- a/src/service_inspectors/http2_inspect/http2_headers_frame_header.cc +++ b/src/service_inspectors/http2_inspect/http2_headers_frame_header.cc @@ -87,7 +87,7 @@ void Http2HeadersFrameHeader::analyze_http1() return; // if END_STREAM flag set on headers, tell http_inspect not to expect a message body - if (get_flags() & END_STREAM) + if (get_flags() & FLAG_END_STREAM) stream->get_hi_flow_data()->finish_h2_body(source_id, HttpEnums::H2_BODY_NO_BODY, false); process_decoded_headers(http_flow, source_id); @@ -97,7 +97,7 @@ void Http2HeadersFrameHeader::update_stream_state() { if (stream->get_state(source_id) == STREAM_ERROR) return; - if (get_flags() & END_STREAM) + if (get_flags() & FLAG_END_STREAM) stream->set_state(source_id, STREAM_COMPLETE); else stream->set_state(source_id, STREAM_EXPECT_BODY); diff --git a/src/service_inspectors/http2_inspect/http2_headers_frame_trailer.cc b/src/service_inspectors/http2_inspect/http2_headers_frame_trailer.cc index feabcd82a..3cd3ee3ab 100644 --- a/src/service_inspectors/http2_inspect/http2_headers_frame_trailer.cc +++ b/src/service_inspectors/http2_inspect/http2_headers_frame_trailer.cc @@ -48,7 +48,7 @@ Http2HeadersFrameTrailer::Http2HeadersFrameTrailer(const uint8_t* header_buffer, if (!process_frame) return; - if (!(get_flags() & END_STREAM)) + if (!(get_flags() & FLAG_END_STREAM)) { // Trailers without END_STREAM flag set. *session_data->infractions[source_id] += INF_TRAILERS_NOT_END; diff --git a/src/service_inspectors/http2_inspect/http2_hpack_table.cc b/src/service_inspectors/http2_inspect/http2_hpack_table.cc index 685045784..d23f4e727 100644 --- a/src/service_inspectors/http2_inspect/http2_hpack_table.cc +++ b/src/service_inspectors/http2_inspect/http2_hpack_table.cc @@ -139,7 +139,7 @@ bool HpackIndexTable::hpack_table_size_update(uint32_t new_size) { encoder_set_max_size = true; if (new_size <= session_data->get_recipient_connection_settings(source_id)-> - get_param(HEADER_TABLE_SIZE)) + get_param(SFID_HEADER_TABLE_SIZE)) { dynamic_table.update_size(new_size); return true; diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc index 8aae1327f..cec10f32a 100644 --- a/src/service_inspectors/http2_inspect/http2_inspect.cc +++ b/src/service_inspectors/http2_inspect/http2_inspect.cc @@ -129,7 +129,7 @@ void Http2Inspect::eval(Packet* p) } session_data->set_processing_stream_id(source_id); - Http2Stream* stream = session_data->get_processing_stream(source_id); + Http2Stream* stream = session_data->get_processing_stream(source_id, params->concurrent_streams_limit); if (!stream) { delete[] session_data->frame_data[source_id]; @@ -202,6 +202,12 @@ void Http2Inspect::clear(Packet* p) session_data->processing_partial_header = false; } +void Http2Inspect::show(const SnortConfig*) const +{ + assert(params); + ConfigLogger::log_value("concurrent_streams_limit", params->concurrent_streams_limit); +} + #ifdef REG_TEST static void print_flow_issues(FILE* output, Http2Infractions* const infractions, Http2EventGen* const events) diff --git a/src/service_inspectors/http2_inspect/http2_inspect.h b/src/service_inspectors/http2_inspect/http2_inspect.h index 1cdbb1bb1..8a9c74a3c 100644 --- a/src/service_inspectors/http2_inspect/http2_inspect.h +++ b/src/service_inspectors/http2_inspect/http2_inspect.h @@ -45,6 +45,7 @@ public: bool get_fp_buf(snort::InspectionBuffer::Type ibt, snort::Packet* p, snort::InspectionBuffer& b) override; bool configure(snort::SnortConfig*) override; + void show(const snort::SnortConfig*) const override; void eval(snort::Packet* p) override; void clear(snort::Packet* p) override; diff --git a/src/service_inspectors/http2_inspect/http2_module.cc b/src/service_inspectors/http2_inspect/http2_module.cc index 37d70cd87..299cfe407 100644 --- a/src/service_inspectors/http2_inspect/http2_module.cc +++ b/src/service_inspectors/http2_inspect/http2_module.cc @@ -28,6 +28,8 @@ using namespace Http2Enums; const Parameter Http2Module::http2_params[] = { + { "concurrent_streams_limit", Parameter::PT_INT, "100:1000", "100", + "Maximum number of concurrent streams allowed in a single HTTP/2 flow" }, #ifdef REG_TEST { "test_input", Parameter::PT_BOOL, nullptr, "false", "read HTTP/2 messages from text file" }, @@ -67,8 +69,12 @@ bool Http2Module::begin(const char*, int, SnortConfig*) bool Http2Module::set(const char*, Value& val, SnortConfig*) { + if (val.is("concurrent_streams_limit")) + { + params->concurrent_streams_limit = val.get_uint32(); + } #ifdef REG_TEST - if (val.is("test_input")) + else if (val.is("test_input")) { params->test_input = val.get_bool(); } @@ -92,15 +98,12 @@ bool Http2Module::set(const char*, Value& val, SnortConfig*) { params->show_scan = val.get_bool(); } +#endif else { return false; } return true; -#else - UNUSED(val); - return false; -#endif } bool Http2Module::end(const char*, int, SnortConfig*) diff --git a/src/service_inspectors/http2_inspect/http2_module.h b/src/service_inspectors/http2_inspect/http2_module.h index e73387ce7..20e01ad18 100644 --- a/src/service_inspectors/http2_inspect/http2_module.h +++ b/src/service_inspectors/http2_inspect/http2_module.h @@ -34,6 +34,7 @@ struct Http2ParaList { public: + uint32_t concurrent_streams_limit; #ifdef REG_TEST int64_t print_amount; diff --git a/src/service_inspectors/http2_inspect/http2_ping_frame.h b/src/service_inspectors/http2_inspect/http2_ping_frame.h index 5b5a5eb18..0932b6025 100644 --- a/src/service_inspectors/http2_inspect/http2_ping_frame.h +++ b/src/service_inspectors/http2_inspect/http2_ping_frame.h @@ -38,7 +38,7 @@ private: Http2Frame(header_buffer, header_len, data_buffer, data_len, ssn_data, src_id, _stream) { } uint8_t get_flags_mask() const override - { return Http2Enums::ACK; } + { return Http2Enums::FLAG_ACK; } }; #endif diff --git a/src/service_inspectors/http2_inspect/http2_push_promise_frame.cc b/src/service_inspectors/http2_inspect/http2_push_promise_frame.cc index 53cc5a5b4..171bc6e29 100644 --- a/src/service_inspectors/http2_inspect/http2_push_promise_frame.cc +++ b/src/service_inspectors/http2_inspect/http2_push_promise_frame.cc @@ -54,7 +54,7 @@ Http2PushPromiseFrame::Http2PushPromiseFrame(const uint8_t* header_buffer, session_data->events[source_id]->create_event(EVENT_INVALID_STREAM_ID); } - if (session_data->get_recipient_connection_settings(source_id)->get_param(ENABLE_PUSH) == 0) + if (session_data->get_recipient_connection_settings(source_id)->get_param(SFID_ENABLE_PUSH) == 0) { session_data->events[source_id]->create_event(EVENT_PUSH_WHEN_PROHIBITED); *session_data->infractions[source_id] += INF_PUSH_WHEN_PROHIBITED; @@ -157,7 +157,7 @@ uint32_t Http2PushPromiseFrame::get_promised_stream_id(Http2EventGen* const even } uint8_t Http2PushPromiseFrame::get_flags_mask() const -{ return (END_HEADERS|PADDED); } +{ return (FLAG_END_HEADERS|FLAG_PADDED); } #ifdef REG_TEST void Http2PushPromiseFrame::print_frame(FILE* output) diff --git a/src/service_inspectors/http2_inspect/http2_settings_frame.cc b/src/service_inspectors/http2_inspect/http2_settings_frame.cc index 6dc9b3f98..5bca2409a 100644 --- a/src/service_inspectors/http2_inspect/http2_settings_frame.cc +++ b/src/service_inspectors/http2_inspect/http2_settings_frame.cc @@ -58,7 +58,7 @@ Http2SettingsFrame::Http2SettingsFrame(const uint8_t* header_buffer, const uint3 return; } - if (ACK & get_flags()) + if (FLAG_ACK & get_flags()) return; if (src_id == HttpCommon::SRC_SERVER && !ssn_data->was_server_settings_received()) @@ -78,7 +78,7 @@ void Http2SettingsFrame::parse_settings_frame() data_pos += SfSize; - if (parameter_id < HEADER_TABLE_SIZE or parameter_id > MAX_HEADER_LIST_SIZE) + if (parameter_id < SFID_HEADER_TABLE_SIZE or parameter_id > SFID_MAX_HEADER_LIST_SIZE) { session_data->events[source_id]->create_event(EVENT_SETTINGS_FRAME_UNKN_PARAM); *session_data->infractions[source_id] += INF_SETTINGS_FRAME_UNKN_PARAM; @@ -92,7 +92,7 @@ void Http2SettingsFrame::parse_settings_frame() bool Http2SettingsFrame::sanity_check() { - const bool ack = ACK & get_flags(); + const bool ack = FLAG_ACK & get_flags(); // FIXIT-E this next check should possibly be moved to valid_sequence() if (get_stream_id() != 0) @@ -107,13 +107,13 @@ bool Http2SettingsFrame::handle_update(uint16_t id, uint32_t value) { switch (id) { - case HEADER_TABLE_SIZE: + case SFID_HEADER_TABLE_SIZE: // Sending a table size parameter informs the receiver the maximum hpack dynamic // table size they may use. session_data->get_hpack_decoder((HttpCommon::SourceId) (1 - source_id))-> get_decode_table()->settings_table_size_update(value); break; - case ENABLE_PUSH: + case SFID_ENABLE_PUSH: // Only values of 0 or 1 are allowed if (!(value == 0 or value == 1)) { @@ -135,7 +135,7 @@ void Http2SettingsFrame::print_frame(FILE* output) if (bad_frame) fprintf(output, " Error in settings frame."); - else if (ACK & get_flags()) + else if (FLAG_ACK & get_flags()) fprintf(output, " ACK"); else fprintf(output, " Parameters in current frame - %d.", (data.length()/6)) ; @@ -147,16 +147,16 @@ void Http2SettingsFrame::print_frame(FILE* output) uint32_t Http2ConnectionSettings::get_param(uint16_t id) { - assert(id >= HEADER_TABLE_SIZE); - assert(id <= MAX_HEADER_LIST_SIZE); + assert(id >= SFID_HEADER_TABLE_SIZE); + assert(id <= SFID_MAX_HEADER_LIST_SIZE); return parameters[id - 1]; } void Http2ConnectionSettings::set_param(uint16_t id, uint32_t value) { - assert(id >= HEADER_TABLE_SIZE); - assert(id <= MAX_HEADER_LIST_SIZE); + assert(id >= SFID_HEADER_TABLE_SIZE); + assert(id <= SFID_MAX_HEADER_LIST_SIZE); parameters[id - 1] = value; } diff --git a/src/service_inspectors/http2_inspect/http2_settings_frame.h b/src/service_inspectors/http2_inspect/http2_settings_frame.h index 570ab1b80..83bb2d2bb 100644 --- a/src/service_inspectors/http2_inspect/http2_settings_frame.h +++ b/src/service_inspectors/http2_inspect/http2_settings_frame.h @@ -47,7 +47,7 @@ private: bool handle_update(uint16_t id, uint32_t value); uint8_t get_flags_mask() const override - { return Http2Enums::ACK; } + { return Http2Enums::FLAG_ACK; } bool bad_frame = false; }; diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc index 8ef940c3a..5d6925b10 100644 --- a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc +++ b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc @@ -115,7 +115,7 @@ StreamSplitter::Status Http2StreamSplitter::non_data_scan(Http2FlowData* session StreamSplitter::Status status = StreamSplitter::FLUSH; session_data->continuation_expected[source_id] = false; if (((type == FT_HEADERS) || (type == FT_PUSH_PROMISE) || (type == FT_CONTINUATION)) && - !(frame_flags & END_HEADERS)) + !(frame_flags & FLAG_END_HEADERS)) { session_data->continuation_expected[source_id] = true; status = StreamSplitter::SEARCH; @@ -243,7 +243,7 @@ StreamSplitter::Status Http2StreamSplitter::implement_scan(Http2FlowData* sessio } // Do flags check for continuation frame, since it is not saved // as lead frame for later. - if ((frame_flags & END_HEADERS) != frame_flags) + if ((frame_flags & FLAG_END_HEADERS) != frame_flags) { *session_data->infractions[source_id] += INF_INVALID_FLAG; session_data->events[source_id]->create_event(EVENT_INVALID_FLAG); @@ -260,7 +260,7 @@ StreamSplitter::Status Http2StreamSplitter::implement_scan(Http2FlowData* sessio assert(session_data->scan_remaining_frame_octets[source_id] == 0); session_data->scan_remaining_frame_octets[source_id] = frame_length; - if ((frame_flags & PADDED) && + if ((frame_flags & FLAG_PADDED) && (type == FT_DATA || type == FT_HEADERS || type == FT_PUSH_PROMISE)) { if (frame_length == 0) @@ -432,7 +432,7 @@ const StreamBuffer Http2StreamSplitter::implement_reassemble(Http2FlowData* sess const uint8_t frame_flags = get_frame_flags(session_data->lead_frame_header[source_id]); const uint8_t type = session_data->frame_type[source_id]; - if ((frame_flags & PADDED) && !session_data->continuation_frame[source_id] && + if ((frame_flags & FLAG_PADDED) && !session_data->continuation_frame[source_id] && (type == FT_HEADERS || type == FT_PUSH_PROMISE)) session_data->read_padding_len[source_id] = true; diff --git a/src/service_inspectors/http2_inspect/http2_utils.cc b/src/service_inspectors/http2_inspect/http2_utils.cc index 4df42ccb2..aa641afc5 100644 --- a/src/service_inspectors/http2_inspect/http2_utils.cc +++ b/src/service_inspectors/http2_inspect/http2_utils.cc @@ -47,7 +47,7 @@ uint8_t get_frame_flags(const uint8_t* frame_header_buffer) if (frame_header_buffer) return frame_header_buffer[frame_flags_index]; else - return NO_HEADER; + return FLAG_NO_HEADER; } uint32_t get_stream_id_from_header(const uint8_t* frame_header_buffer)