From: Adrian Mamolea (admamole) <admamole@cisco.com>
Date: Fri, 25 Aug 2023 18:08:48 +0000 (+0000)
Subject: Pull request #3967: http2_inspect: add frame when logging a packet
X-Git-Tag: 3.1.69.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=946ed5df129a8873084ad1436d579bbd833857ad;p=thirdparty%2Fsnort3.git

Pull request #3967: http2_inspect: add frame when logging a packet

Merge in SNORT/snort3 from ~ADMAMOLE/snort3:h2_pkt to master

Squashed commit of the following:

commit 6a79c665c90e29c2025376c56ee1be5ef6d49e68
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Wed Aug 23 15:16:33 2023 -0400

    http2_inspect: address comments from Oleksii

commit 038f465bd138fbc9eb17fa661a9161cdd5235cbe
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Wed Jul 5 16:59:08 2023 -0400

    http2_inspect: add frame when logging a packet
---

diff --git a/src/service_inspectors/http2_inspect/http2_data_frame.cc b/src/service_inspectors/http2_inspect/http2_data_frame.cc
index fb529169f..256a5fbdb 100644
--- a/src/service_inspectors/http2_inspect/http2_data_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_data_frame.cc
@@ -103,3 +103,9 @@ void Http2DataFrame::print_frame(FILE* output)
     Http2Frame::print_frame(output);
 }
 #endif
+
+const uint8_t* Http2DataFrame::get_frame_data(uint32_t& length) const
+{
+    length = data_length;
+    return data_buffer;
+}
diff --git a/src/service_inspectors/http2_inspect/http2_data_frame.h b/src/service_inspectors/http2_inspect/http2_data_frame.h
index 6224ce4e5..e9c82b721 100644
--- a/src/service_inspectors/http2_inspect/http2_data_frame.h
+++ b/src/service_inspectors/http2_inspect/http2_data_frame.h
@@ -35,6 +35,7 @@ public:
 
     bool is_detection_required() const override { return false; }
     void update_stream_state() override;
+    virtual const uint8_t* get_frame_data(uint32_t& length) const override;
 
     friend Http2Frame* Http2Frame::new_frame(const uint8_t*, const uint32_t, const uint8_t*,
         const uint32_t, Http2FlowData*, HttpCommon::SourceId, Http2Stream* stream);
diff --git a/src/service_inspectors/http2_inspect/http2_frame.cc b/src/service_inspectors/http2_inspect/http2_frame.cc
index f8a4ac931..813a27316 100644
--- a/src/service_inspectors/http2_inspect/http2_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_frame.cc
@@ -154,3 +154,32 @@ void Http2Frame::print_frame(FILE* output)
     data.print(output, "Frame Data");
 }
 #endif
+
+const uint8_t* Http2Frame::get_frame_pdu(uint16_t& length) const
+{
+    int32_t hlen = header.length();
+    if (hlen != FRAME_HEADER_LENGTH)
+        return nullptr;
+
+    uint32_t dlen;
+    const uint8_t* data = get_frame_data(dlen);
+    if (!data or (hlen + dlen > UINT16_MAX))
+        return nullptr;
+
+    length = (uint16_t)(hlen + dlen);
+    uint8_t* pdu = new uint8_t[length];
+    memcpy(pdu, header.start(), hlen);
+    if (dlen)
+        memcpy(&pdu[hlen], data, dlen);
+    return pdu;
+}
+
+const uint8_t* Http2Frame::get_frame_data(uint32_t& length) const
+{
+    int32_t dlen = data.length();
+    if (dlen < 0)
+        return nullptr;
+
+    length = (uint32_t)dlen;
+    return data.start();
+}
diff --git a/src/service_inspectors/http2_inspect/http2_frame.h b/src/service_inspectors/http2_inspect/http2_frame.h
index ccaccfbe2..5389ca0eb 100644
--- a/src/service_inspectors/http2_inspect/http2_frame.h
+++ b/src/service_inspectors/http2_inspect/http2_frame.h
@@ -50,7 +50,8 @@ public:
     virtual const Field& get_buf(unsigned id);
     virtual bool is_detection_required() const { return true; }
     virtual void update_stream_state() { }
-
+    const uint8_t* get_frame_pdu(uint16_t& length) const;
+    virtual const uint8_t* get_frame_data(uint32_t& length) const;
 #ifdef REG_TEST
     virtual void print_frame(FILE* output);
 #endif
diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc
index 01443ce1e..feed041f1 100644
--- a/src/service_inspectors/http2_inspect/http2_inspect.cc
+++ b/src/service_inspectors/http2_inspect/http2_inspect.cc
@@ -214,3 +214,20 @@ static void print_flow_issues(FILE* output, Http2Infractions* const infractions,
         infractions->get_raw(0), events->get_raw(0));
 }
 #endif
+
+const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
+{
+    auto* const session_data = (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
+    if (!session_data)
+        return nullptr;
+
+    auto* stream = session_data->find_processing_stream();
+    if (!stream)
+        return nullptr;
+
+    auto* frame = stream->get_current_frame();
+    if (!frame)
+        return nullptr;
+
+    return frame->get_frame_pdu(length);
+}
diff --git a/src/service_inspectors/http2_inspect/http2_inspect.h b/src/service_inspectors/http2_inspect/http2_inspect.h
index ba7cd58a3..7b971357b 100644
--- a/src/service_inspectors/http2_inspect/http2_inspect.h
+++ b/src/service_inspectors/http2_inspect/http2_inspect.h
@@ -55,6 +55,7 @@ public:
     bool can_carve_files() const override
     { return true; }
 
+    const uint8_t* adjust_log_packet(snort::Packet* p, uint16_t& length) override;
 private:
     friend Http2Api;