From: Tom Peters (thopeter) Date: Fri, 10 Dec 2021 20:41:06 +0000 (+0000) Subject: Pull request #3208: http_inspect/http2_inspect: refuse midstream pickups X-Git-Tag: 3.1.19.0~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db1a25b998a2ec44c5bf2999a0434e5e95116316;p=thirdparty%2Fsnort3.git Pull request #3208: http_inspect/http2_inspect: refuse midstream pickups Merge in SNORT/snort3 from ~THOPETER/snort3:h2i22 to master Squashed commit of the following: commit 75298d3ab6f3e4b977a80b04a542899d64f3e6e7 Author: Tom Peters Date: Fri Nov 19 15:57:32 2021 -0500 http_inspect/http2_inspect: refuse midstream pickups --- diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc index d77584d20..9cd462f7e 100644 --- a/src/service_inspectors/http2_inspect/http2_inspect.cc +++ b/src/service_inspectors/http2_inspect/http2_inspect.cc @@ -131,7 +131,8 @@ void Http2Inspect::eval(Packet* p) } session_data->set_processing_stream_id(source_id); - Http2Stream* stream = session_data->get_processing_stream(source_id, params->concurrent_streams_limit); + Http2Stream* const stream = session_data->get_processing_stream(source_id, + params->concurrent_streams_limit); if (!stream) { delete[] session_data->frame_data[source_id]; diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc index 4884f1c51..436cf07b8 100644 --- a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc +++ b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc @@ -45,22 +45,26 @@ StreamSplitter::Status Http2StreamSplitter::scan(Packet* pkt, const uint8_t* dat { Profile profile(Http2Module::get_profile_stats()); + Flow* const flow = pkt->flow; + if (flow->session_state & STREAM_STATE_MIDSTREAM) + return StreamSplitter::ABORT; + // This is the session state information we share with Http2Inspect and store with stream. A // session is defined by a TCP connection. Since scan() is the first to see a new TCP // connection the new flow data object is created here. Http2FlowData* session_data = - (Http2FlowData*)pkt->flow->get_flow_data(Http2FlowData::inspector_id); + (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); if (session_data == nullptr) { AssistantGadgetEvent event(pkt, "http"); - DataBus::publish(FLOW_ASSISTANT_GADGET_EVENT, event, pkt->flow); - if (pkt->flow->assistant_gadget == nullptr) + DataBus::publish(FLOW_ASSISTANT_GADGET_EVENT, event, flow); + if (flow->assistant_gadget == nullptr) { // http_inspect is not configured return HttpStreamSplitter::status_value(StreamSplitter::ABORT, true); } - pkt->flow->set_flow_data(session_data = new Http2FlowData(pkt->flow)); + flow->set_flow_data(session_data = new Http2FlowData(flow)); Http2Module::increment_peg_counts(PEG_FLOW); } @@ -84,7 +88,7 @@ StreamSplitter::Status Http2StreamSplitter::scan(Packet* pkt, const uint8_t* dat { printf("HTTP/2 scan from flow data %" PRIu64 " direction %d length %u client port %hu server port %hu\n", session_data->seq_num, - source_id, length, pkt->flow->client_port, pkt->flow->server_port); + source_id, length, flow->client_port, flow->server_port); fflush(stdout); if (HttpTestManager::get_show_scan()) { diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc index dd4c28f41..eff62701d 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc @@ -129,6 +129,8 @@ StreamSplitter::Status HttpStreamSplitter::scan(Packet* pkt, const uint8_t* data Profile profile(HttpModule::get_profile_stats()); Flow* const flow = pkt->flow; + if (flow->session_state & STREAM_STATE_MIDSTREAM) + return StreamSplitter::ABORT; // This is the session state information we share with HttpInspect and store with stream. A // session is defined by a TCP connection. Since scan() is the first to see a new TCP