From: Mike Stepanek (mstepane) Date: Tue, 21 Jul 2020 20:11:47 +0000 (+0000) Subject: Merge pull request #2342 in SNORT/snort3 from ~THOPETER/snort3:nhttp142 to master X-Git-Tag: 3.0.2-3~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f50c3b7c7ed9b7605ca3148be9988245b35718d2;p=thirdparty%2Fsnort3.git Merge pull request #2342 in SNORT/snort3 from ~THOPETER/snort3:nhttp142 to master Squashed commit of the following: commit de715737345a12998a108bfcbb6f409abe44fb41 Author: Tom Peters Date: Fri Jul 17 13:08:04 2020 -0400 http_inspect & decompress: clean up --- diff --git a/src/decompress/file_decomp_pdf.cc b/src/decompress/file_decomp_pdf.cc index e240f0411..9c49d4b03 100644 --- a/src/decompress/file_decomp_pdf.cc +++ b/src/decompress/file_decomp_pdf.cc @@ -196,7 +196,7 @@ static fd_status_t Process_Filter_Spec(fd_session_t* SessionPtr) int Index; fd_status_t Ret_Code = File_Decomp_OK; - fd_PDF_Parse_p_t p = &(SessionPtr->PDF->Parse); + fd_PDF_Parse_t* p = &(SessionPtr->PDF->Parse); /* Assume the 'no compression' result */ SessionPtr->Decomp_Type = FILE_COMPRESSION_TYPE_NONE; @@ -279,7 +279,7 @@ static fd_status_t Process_Filter_Spec(fd_session_t* SessionPtr) static inline void Init_Parser(fd_session_t* SessionPtr) { - fd_PDF_Parse_p_t p = &(SessionPtr->PDF->Parse); + fd_PDF_Parse_t* p = &(SessionPtr->PDF->Parse); /* The parser starts in the P_COMMENT state we start parsing the file just after the signature is located and the signature is syntactically a comment. */ @@ -288,14 +288,12 @@ static inline void Init_Parser(fd_session_t* SessionPtr) p->xref_tok = (const uint8_t*)TOK_XRF_STARTXREF; } -static inline fd_status_t Push_State(fd_PDF_Parse_p_t p) +static inline fd_status_t Push_State(fd_PDF_Parse_t* p) { - fd_PDF_Parse_Stack_p_t StckPtr; - if ( p->Parse_Stack_Index >= (PARSE_STACK_LEN-1) ) return File_Decomp_Error; - StckPtr = &(p->Parse_Stack[(p->Parse_Stack_Index)++]); + fd_PDF_Parse_Stack_t* StckPtr = &(p->Parse_Stack[(p->Parse_Stack_Index)++]); StckPtr->State = p->State; StckPtr->Sub_State = p->Sub_State; @@ -303,14 +301,12 @@ static inline fd_status_t Push_State(fd_PDF_Parse_p_t p) return File_Decomp_OK; } -static inline fd_status_t Pop_State(fd_PDF_Parse_p_t p) +static inline fd_status_t Pop_State(fd_PDF_Parse_t* p) { - fd_PDF_Parse_Stack_p_t StckPtr; - if ( p->Parse_Stack_Index == 0 ) return File_Decomp_Error; - StckPtr = &(p->Parse_Stack[--(p->Parse_Stack_Index)]); + fd_PDF_Parse_Stack_t* StckPtr = &(p->Parse_Stack[--(p->Parse_Stack_Index)]); p->Elem_Index = 0; // Reset to beginning of token as can't push/pop in mid-token p->State = StckPtr->State; @@ -320,7 +316,7 @@ static inline fd_status_t Pop_State(fd_PDF_Parse_p_t p) } /* If there's a previous state on the stack, return a pointer to it, else return NULL */ -static inline fd_PDF_Parse_Stack_p_t Get_Previous_State(fd_PDF_Parse_p_t p) +static inline fd_PDF_Parse_Stack_t* Get_Previous_State(fd_PDF_Parse_t* p) { if ( p->Parse_Stack_Index == 0 ) return nullptr; @@ -335,7 +331,7 @@ static inline fd_PDF_Parse_Stack_p_t Get_Previous_State(fd_PDF_Parse_p_t p) only explore Dictionary objects within Indirect Objects. */ static inline fd_status_t Handle_State_DICT_OBJECT(fd_session_t* SessionPtr, uint8_t c) { - fd_PDF_Parse_p_t p = &(SessionPtr->PDF->Parse); + fd_PDF_Parse_t* p = &(SessionPtr->PDF->Parse); /* enter with c being an EOL from the ind obj state */ if ( p->State != P_DICT_OBJECT ) @@ -491,7 +487,7 @@ static inline fd_status_t Handle_State_DICT_OBJECT(fd_session_t* SessionPtr, uin of the stream. */ if ( SessionPtr->Decomp_Type != FILE_COMPRESSION_TYPE_NONE ) { - fd_PDF_Parse_Stack_p_t StckPtr; + fd_PDF_Parse_Stack_t* StckPtr; if ( (StckPtr = Get_Previous_State(p)) == nullptr ) { @@ -524,7 +520,7 @@ static inline fd_status_t Handle_State_DICT_OBJECT(fd_session_t* SessionPtr, uin return File_Decomp_OK; } -static inline fd_status_t Process_Stream(fd_PDF_Parse_p_t p) +static inline fd_status_t Process_Stream(fd_PDF_Parse_t* p) { p->Sub_State = P_ENDSTREAM_TOKEN; p->State = P_IND_OBJ; @@ -543,7 +539,7 @@ static inline fd_status_t Process_Stream(fd_PDF_Parse_p_t p) bulk of the file content. */ static inline fd_status_t Handle_State_IND_OBJ(fd_session_t* SessionPtr, uint8_t c) { - fd_PDF_Parse_p_t p = &(SessionPtr->PDF->Parse); + fd_PDF_Parse_t* p = &(SessionPtr->PDF->Parse); /* Upon initial entry, setup state context */ if ( p->State != P_IND_OBJ ) @@ -724,7 +720,7 @@ static inline fd_status_t Handle_State_IND_OBJ(fd_session_t* SessionPtr, uint8_t this segment. */ static inline fd_status_t Handle_State_XREF(fd_session_t* SessionPtr, uint8_t c) { - fd_PDF_Parse_p_t p = &(SessionPtr->PDF->Parse); + fd_PDF_Parse_t* p = &(SessionPtr->PDF->Parse); if ( p->State != P_XREF ) { @@ -783,7 +779,7 @@ static inline fd_status_t Handle_State_XREF(fd_session_t* SessionPtr, uint8_t c) static inline fd_status_t Handle_State_START(fd_session_t* SessionPtr, uint8_t c) { - fd_PDF_Parse_p_t p = &(SessionPtr->PDF->Parse); + fd_PDF_Parse_t* p = &(SessionPtr->PDF->Parse); /* Skip any whitespace. This will include the LF as part of a EOL token. */ if ( IS_WHITESPACE(c) ) @@ -826,7 +822,7 @@ static inline fd_status_t Handle_State_START(fd_session_t* SessionPtr, uint8_t c /* Parse file until input blocked or stream located. */ static fd_status_t Locate_Stream_Beginning(fd_session_t* SessionPtr) { - fd_PDF_Parse_p_t p = &(SessionPtr->PDF->Parse); + fd_PDF_Parse_t* p = &(SessionPtr->PDF->Parse); fd_status_t Ret_Code = File_Decomp_OK; while ( true ) @@ -900,7 +896,7 @@ static fd_status_t Locate_Stream_Beginning(fd_session_t* SessionPtr) static fd_status_t Init_Stream(fd_session_t* SessionPtr) { - fd_PDF_p_t StPtr = SessionPtr->PDF; + fd_PDF_t* StPtr = SessionPtr->PDF; switch ( StPtr->Decomp_Type ) { @@ -935,7 +931,7 @@ static fd_status_t Init_Stream(fd_session_t* SessionPtr) static fd_status_t Decomp_Stream(fd_session_t* SessionPtr) { - fd_PDF_p_t StPtr = SessionPtr->PDF; + fd_PDF_t* StPtr = SessionPtr->PDF; /* No reason to decompress if there's no input or room for output. */ @@ -993,12 +989,10 @@ static fd_status_t Close_Stream(fd_session_t* SessionPtr) /* Abort the decompression session upon command from caller. */ fd_status_t File_Decomp_End_PDF(fd_session_t* SessionPtr) { - fd_PDF_p_t StPtr; - if ( SessionPtr == nullptr ) return File_Decomp_Error; - StPtr = SessionPtr->PDF; + fd_PDF_t* StPtr = SessionPtr->PDF; if ( (StPtr->State != PDF_STATE_INIT_STREAM) && (StPtr->State != PDF_STATE_PROCESS_STREAM) ) @@ -1036,7 +1030,7 @@ fd_status_t File_Decomp_Init_PDF(fd_session_t* SessionPtr) SessionPtr->PDF = (fd_PDF_t*)snort_calloc(sizeof(fd_PDF_t)); - fd_PDF_p_t StPtr = SessionPtr->PDF; + fd_PDF_t* StPtr = SessionPtr->PDF; Init_Parser(SessionPtr); diff --git a/src/decompress/file_decomp_pdf.h b/src/decompress/file_decomp_pdf.h index 13276920f..34c8aa5b6 100644 --- a/src/decompress/file_decomp_pdf.h +++ b/src/decompress/file_decomp_pdf.h @@ -36,7 +36,7 @@ enum fd_PDF_States { PDF_STATE_NEW, - PDF_STATE_LOCATE_STREAM, /* Found sig bytes, looking for dictionary & stream*/ + PDF_STATE_LOCATE_STREAM, /* Found sig bytes, looking for dictionary & stream */ PDF_STATE_INIT_STREAM, /* Init stream */ PDF_STATE_PROCESS_STREAM /* Processing stream */ }; @@ -79,21 +79,16 @@ struct fd_PDF_t uint8_t State; }; -// FIXIT-RC don't obfuscate pointers -typedef fd_PDF_Parse_Stack_t* fd_PDF_Parse_Stack_p_t; -typedef fd_PDF_Parse_t* fd_PDF_Parse_p_t; -typedef fd_PDF_t* fd_PDF_p_t; - /* API Functions */ /* Init the PDF decompressor */ fd_status_t File_Decomp_Init_PDF(fd_session_t*); /* Run the incremental PDF file parser/decompressor */ -fd_status_t File_Decomp_End_PDF(fd_session_t*); +fd_status_t File_Decomp_PDF(fd_session_t*); /* End the decompressor */ -fd_status_t File_Decomp_PDF(fd_session_t*); +fd_status_t File_Decomp_End_PDF(fd_session_t*); #endif diff --git a/src/service_inspectors/http_inspect/http_cutter.cc b/src/service_inspectors/http_inspect/http_cutter.cc index 9db4f978d..5e913f30b 100644 --- a/src/service_inspectors/http_inspect/http_cutter.cc +++ b/src/service_inspectors/http_inspect/http_cutter.cc @@ -692,14 +692,14 @@ ScanResult HttpBodyH2Cutter::cut(const uint8_t* buffer, uint32_t length, HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch, bool h2_body_finished) { - //FIXIT-E detained inspection not yet supported for http2 + // FIXIT-E detained inspection not yet supported for HTTP/2 UNUSED(buffer); - // FIXIT-E stretch not yet supported for http2 message bodies + // FIXIT-E stretch not yet supported for HTTP/2 message bodies UNUSED(stretch); // If the headers included a content length header (expected length >= 0), check it against the - // actual message body length. Alert if it does not match at the end of the message body, or if + // actual message body length. Alert if it does not match at the end of the message body or if // it overflows during the body (alert once then stop computing). if (expected_body_length >= 0) { @@ -722,6 +722,7 @@ ScanResult HttpBodyH2Cutter::cut(const uint8_t* buffer, uint32_t length, total_octets_scanned += length; return SCAN_DISCARD_PIECE; } + if (!h2_body_finished) { if (octets_seen + length < flow_target)