From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Fri, 10 Dec 2021 22:22:08 +0000 (+0000)
Subject: Pull request #3198: BUG #715019: Hitting assert - HttpMsgBody::clean_partial
X-Git-Tag: 3.1.19.0~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a323b6479ceb7b129591ce824bcb59561056bd07;p=thirdparty%2Fsnort3.git

Pull request #3198: BUG #715019: Hitting assert - HttpMsgBody::clean_partial

Merge in SNORT/snort3 from ~MDAGON/snort3:fix_assert to master

Squashed commit of the following:

commit 9ef0fdf7550edbd6c328438681abba6efab59ec7
Author: Maya Dagon <mdagon@cisco.com>
Date:   Tue Nov 30 15:55:31 2021 -0500

    http_inspect: use correct detect_length for partial inspection cleanup
---

diff --git a/src/pub_sub/test/pub_sub_http_request_body_event_test.cc b/src/pub_sub/test/pub_sub_http_request_body_event_test.cc
index 80177c0e0..173a3d638 100644
--- a/src/pub_sub/test/pub_sub_http_request_body_event_test.cc
+++ b/src/pub_sub/test/pub_sub_http_request_body_event_test.cc
@@ -56,7 +56,7 @@ void HttpMsgBody::do_file_processing(const Field&) {}
 void HttpMsgBody::do_utf_decoding(const Field&, Field&) {}
 void HttpMsgBody::do_file_decompression(const Field&, Field&) {}
 void HttpMsgBody::do_enhanced_js_normalization(const Field&, Field&) {}
-void HttpMsgBody::clean_partial(uint32_t&, uint32_t&, uint8_t*&, uint32_t&, int32_t) {}
+void HttpMsgBody::clean_partial(uint32_t&, uint32_t&, uint8_t*&, uint32_t&) {}
 void HttpMsgBody::bookkeeping_regular_flush(uint32_t&, uint8_t*&, uint32_t&, int32_t) {}
 #ifdef REG_TEST
 void HttpMsgBody::print_body_section(FILE*, const char*) {}
diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index f2df2ae97..3d0d8a64f 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -89,7 +89,7 @@ void HttpMsgBody::bookkeeping_regular_flush(uint32_t& partial_detect_length,
 }
 
 void HttpMsgBody::clean_partial(uint32_t& partial_inspected_octets, uint32_t& partial_detect_length,
-    uint8_t*& partial_detect_buffer, uint32_t& partial_js_detect_length, int32_t detect_length)
+    uint8_t*& partial_detect_buffer, uint32_t& partial_js_detect_length)
 {
     body_octets += msg_text.length();
     partial_inspected_octets = session_data->partial_flush[source_id] ? msg_text.length() : 0;
@@ -100,7 +100,9 @@ void HttpMsgBody::clean_partial(uint32_t& partial_inspected_octets, uint32_t& pa
     if (session_data->detect_depth_remaining[source_id] > 0)
     {
         delete[] partial_detect_buffer;
-        assert(detect_length <= session_data->detect_depth_remaining[source_id]);
+        const int32_t detect_length =
+            (partial_js_detect_length <= session_data->detect_depth_remaining[source_id]) ?
+            partial_js_detect_length : session_data->detect_depth_remaining[source_id];
         bookkeeping_regular_flush(partial_detect_length, partial_detect_buffer,
             partial_js_detect_length, detect_length);
     }
@@ -170,10 +172,14 @@ void HttpMsgBody::analyze()
                     decompressed_file_body.length());
                 cumulative_data.set(total_length, cumulative_buffer, true);
                 do_legacy_js_normalization(cumulative_data, js_norm_body);
-                if ((int32_t)partial_js_detect_length == js_norm_body.length())
+                // Partial inspections don't update detect_depth_remaining.
+                // If there is no new data or same data will be sent to detection because
+                // we already reached detect_depth, don't do another detection
+                if ((int32_t)partial_js_detect_length == js_norm_body.length() ||
+                    partial_js_detect_length >= session_data->detect_depth_remaining[source_id])
                 {
                     clean_partial(partial_inspected_octets, partial_detect_length,
-                        partial_detect_buffer, partial_js_detect_length, js_norm_body.length());
+                        partial_detect_buffer, partial_js_detect_length);
                     return;
                 }
             }
diff --git a/src/service_inspectors/http_inspect/http_msg_body.h b/src/service_inspectors/http_inspect/http_msg_body.h
index 664c148af..e19d1454f 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.h
+++ b/src/service_inspectors/http_inspect/http_msg_body.h
@@ -66,8 +66,7 @@ private:
     void do_enhanced_js_normalization(const Field& input, Field& output);
     void do_legacy_js_normalization(const Field& input, Field& output);
     void clean_partial(uint32_t& partial_inspected_octets, uint32_t& partial_detect_length,
-        uint8_t*& partial_detect_buffer,  uint32_t& partial_js_detect_length,
-        int32_t detect_length);
+        uint8_t*& partial_detect_buffer,  uint32_t& partial_js_detect_length);
     void bookkeeping_regular_flush(uint32_t& partial_detect_length,
         uint8_t*& partial_detect_buffer, uint32_t& partial_js_detect_length,
         int32_t detect_length);