From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Date: Tue, 29 Nov 2022 15:09:53 +0000 (+0000)
Subject: Pull request #3679: http_inspect: add decompression failure check before normalization
X-Git-Tag: 3.1.48.0~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a1a70e6d67ea98b2dc67f0ea7b5836a80cc2913;p=thirdparty%2Fsnort3.git

Pull request #3679: http_inspect: add decompression failure check before normalization

Merge in SNORT/snort3 from ~ASERBENI/snort3:jsn_decomp to master

Squashed commit of the following:

commit 0afc327eebcf120f34fc67e336fc2ffee73afaaf
Author: Andrii Serbeniuk <aserbeni@cisco.com>
Date:   Wed Nov 23 12:44:07 2022 +0200

    http_inspect: add decompression failure check before normalization
---

diff --git a/src/service_inspectors/http_inspect/http_js_norm.cc b/src/service_inspectors/http_inspect/http_js_norm.cc
index 6744a6905..bacc34a68 100644
--- a/src/service_inspectors/http_inspect/http_js_norm.cc
+++ b/src/service_inspectors/http_inspect/http_js_norm.cc
@@ -322,9 +322,6 @@ bool HttpInlineJSNorm::pre_proc()
     assert(http_events);
     assert(infractions);
 
-    if ((*infractions & INF_UNKNOWN_ENCODING) or (*infractions & INF_UNSUPPORTED_ENCODING))
-        return false;
-
     if (src_ptr >= src_end)
         return false;
 
diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 1102dcc6a..fe2b29579 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -46,6 +46,20 @@ using namespace jsn;
 
 extern THREAD_LOCAL const snort::Trace* js_trace;
 
+static HttpInfractions decode_infs;
+
+static void init_decode_infs()
+{
+    decode_infs += INF_UNKNOWN_ENCODING;
+    decode_infs += INF_UNSUPPORTED_ENCODING;
+    decode_infs += INF_STACKED_ENCODINGS;
+    decode_infs += INF_CONTENT_ENCODING_CHUNKED;
+    decode_infs += INF_GZIP_FAILURE;
+    decode_infs += INF_GZIP_OVERRUN;
+}
+
+static int _init_decode_infs __attribute__((unused)) = (static_cast<void>(init_decode_infs()), 0);
+
 HttpMsgBody::HttpMsgBody(const uint8_t* buffer, const uint16_t buf_size,
     HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
     const HttpParaList* params_) :
@@ -767,6 +781,14 @@ const Field& HttpMsgBody::get_norm_js_data()
     if (norm_js_data.length() != STAT_NOT_COMPUTE)
         return norm_js_data;
 
+    auto infractions = this->transaction->get_infractions(source_id);
+
+    if (*infractions & decode_infs)
+    {
+        norm_js_data.set(STAT_NO_SOURCE);
+        return norm_js_data;
+    }
+
     if (decompressed_file_body.length() <= 0)
     {
         norm_js_data.set(STAT_NO_SOURCE);
@@ -785,7 +807,7 @@ const Field& HttpMsgBody::get_norm_js_data()
     size_t dst_len = HttpCommon::STAT_NOT_PRESENT;
     auto back = !session_data->partial_flush[source_id];
 
-    jsn->link(decompressed_file_body.start(), session_data->events[source_id], transaction->get_infractions(source_id));
+    jsn->link(decompressed_file_body.start(), session_data->events[source_id], infractions);
     jsn->normalize(decompressed_file_body.start(), decompressed_file_body.length(), dst, dst_len);
 
     debug_logf(4, js_trace, TRACE_PROC, DetectionEngine::get_current_packet(),