From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Tue, 3 Mar 2020 14:49:29 +0000 (+0000)
Subject: Merge pull request #2042 in SNORT/snort3 from ~NIHDESAI/snort3:abort_h2h to master
X-Git-Tag: 3.0.0-269~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b20be69643a84b2935566ad7dc44bd0c67b3d76b;p=thirdparty%2Fsnort3.git

Merge pull request #2042 in SNORT/snort3 from ~NIHDESAI/snort3:abort_h2h to master

Squashed commit of the following:

commit d5b1e259399fbcc38fa191291ef6c4b99264f809
Author: Nihal Desai <nihdesai@cisco.com>
Date:   Wed Feb 19 15:41:51 2020 -0500

    http2_inspect: aborts for nhi errors
---

diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h
index be19f496e..fdab3edbf 100644
--- a/src/service_inspectors/http2_inspect/http2_enum.h
+++ b/src/service_inspectors/http2_inspect/http2_enum.h
@@ -63,6 +63,7 @@ enum EventSid
     EVENT_SETTINGS_FRAME_UNKN_PARAM = 12,
     EVENT_FRAME_SEQUENCE = 13,
     EVENT_DYNAMIC_TABLE_OVERFLOW = 14,
+    EVENT_INVALID_STARTLINE = 15,
     EVENT__MAX_VALUE
 };
 
@@ -95,6 +96,8 @@ enum Infraction
     INF_DYNAMIC_TABLE_OVERFLOW = 22,
     INF_TABLE_SIZE_UPDATE_WITHIN_HEADER = 23,
     INF_TOO_MANY_TABLE_SIZE_UPDATES = 24,
+    INF_INVALID_STARTLINE = 25,
+    INF_INVALID_HEADER = 26,
     INF__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http2_inspect/http2_headers_frame.cc b/src/service_inspectors/http2_inspect/http2_headers_frame.cc
index 07ab5632b..87f84af67 100644
--- a/src/service_inspectors/http2_inspect/http2_headers_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_headers_frame.cc
@@ -24,7 +24,8 @@
 #include "http2_headers_frame.h"
 
 #include "protocols/packet.h"
-
+#include "service_inspectors/http_inspect/http_enum.h"
+#include "service_inspectors/http_inspect/http_flow_data.h"
 #include "service_inspectors/http_inspect/http_inspect.h"
 #include "service_inspectors/http_inspect/http_stream_splitter.h"
 
@@ -102,6 +103,7 @@ Http2HeadersFrame::Http2HeadersFrame(const uint8_t* header_buffer, const int32_t
         assert(copied == (unsigned)start_line->length());
     }
 
+    HttpFlowData* http_flow = session_data->get_current_stream(source_id)->get_hi_flow_data();
     // http_inspect eval() and clear() of start line
     {
         Http2DummyPacket dummy_pkt;
@@ -110,6 +112,13 @@ Http2HeadersFrame::Http2HeadersFrame(const uint8_t* header_buffer, const int32_t
         dummy_pkt.dsize = stream_buf.length;
         dummy_pkt.data = stream_buf.data;
         session_data->hi->eval(&dummy_pkt);
+        if (http_flow->get_type_expected(source_id) != HttpEnums::SEC_HEADER)
+        {
+            *session_data->infractions[source_id] += INF_INVALID_STARTLINE;
+            session_data->events[source_id]->create_event(EVENT_INVALID_STARTLINE);
+            hi_abort = true;
+            return;
+        }
         session_data->hi->clear(&dummy_pkt);
     }
 
@@ -122,13 +131,8 @@ Http2HeadersFrame::Http2HeadersFrame(const uint8_t* header_buffer, const int32_t
         const StreamSplitter::Status header_scan_result =
             session_data->hi_ss[source_id]->scan(&dummy_pkt, http1_header->start(),
             http1_header->length(), unused, &flush_offset);
-        if (header_scan_result == StreamSplitter::ABORT)
-        {
-            // eval() aborted the start line?
-            hi_abort = true;
-            return;
-        }
         assert(header_scan_result == StreamSplitter::FLUSH);
+        UNUSED(header_scan_result);
         assert((int64_t)flush_offset == http1_header->length());
     }
 
@@ -151,6 +155,17 @@ Http2HeadersFrame::Http2HeadersFrame(const uint8_t* header_buffer, const int32_t
         dummy_pkt.data = stream_buf.data;
         dummy_pkt.xtradata_mask = 0;
         session_data->hi->eval(&dummy_pkt);
+        //Following if condition won't get exercised until finish() is
+        //implemented for H2I. Without finish() H2I will only flush
+        //complete header blocks. Below ABORT is only possible if
+        //tcp connection closes unexpectedly in middle of a header.
+        if (http_flow->get_type_expected(source_id) == HttpEnums::SEC_ABORT)
+        {
+            *session_data->infractions[source_id] += INF_INVALID_HEADER;
+            session_data->events[source_id]->create_event(EVENT_INVALID_HEADER);
+            hi_abort = true;
+            return;
+        }
         detection_required = dummy_pkt.is_detection_required();
         xtradata_mask = dummy_pkt.xtradata_mask;
     }
diff --git a/src/service_inspectors/http2_inspect/http2_tables.cc b/src/service_inspectors/http2_inspect/http2_tables.cc
index 29652cda1..71557351e 100644
--- a/src/service_inspectors/http2_inspect/http2_tables.cc
+++ b/src/service_inspectors/http2_inspect/http2_tables.cc
@@ -45,6 +45,7 @@ const RuleMap Http2Module::http2_events[] =
     { EVENT_SETTINGS_FRAME_UNKN_PARAM, "unknown parameter in HTTP/2 settings frame" },
     { EVENT_FRAME_SEQUENCE, "invalid HTTP/2 frame sequence" },
     { EVENT_DYNAMIC_TABLE_OVERFLOW, "HTTP/2 dynamic table size limit exceeded" },
+    { EVENT_INVALID_STARTLINE, "invalid HTTP/2 start line" },
     { 0, nullptr }
 };