From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Mon, 4 Oct 2021 20:24:21 +0000 (+0000)
Subject: Merge pull request #3087 in SNORT/snort3 from ~MDAGON/snort3:hardening to master
X-Git-Tag: 3.1.14.0~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5f634c9949382b85023dd080b1014aa088587ff;p=thirdparty%2Fsnort3.git

Merge pull request #3087 in SNORT/snort3 from ~MDAGON/snort3:hardening to master

Squashed commit of the following:

commit 8dcfe0f20d08e185096f138a043ddf0b15b1468d
Author: Maya Dagon <mdagon@cisco.com>
Date:   Fri Oct 1 15:09:58 2021 -0400

    http2_inspect: compare scanned bytes to total received during reassemble
---

diff --git a/src/service_inspectors/http2_inspect/http2_flow_data.h b/src/service_inspectors/http2_inspect/http2_flow_data.h
index d17c6a9fb..7b0acb9f7 100644
--- a/src/service_inspectors/http2_inspect/http2_flow_data.h
+++ b/src/service_inspectors/http2_inspect/http2_flow_data.h
@@ -175,6 +175,7 @@ protected:
 
     // Scan signals to reassemble()
     bool payload_discard[2] = { false, false };
+    unsigned bytes_scanned[2] = { 0, 0 };
 
     // Used by scan, reassemble and eval to communicate
     uint8_t frame_type[2] = { Http2Enums::FT__NONE, Http2Enums::FT__NONE };
diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc
index 408735ad9..8847c6798 100644
--- a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc
+++ b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc
@@ -97,6 +97,9 @@ StreamSplitter::Status Http2StreamSplitter::scan(Packet* pkt, const uint8_t* dat
     const StreamSplitter::Status ret_val =
         implement_scan(session_data, data, length, flush_offset, source_id);
 
+    session_data->bytes_scanned[source_id] += (ret_val == StreamSplitter::FLUSH)?
+        *flush_offset : length;
+
     if (ret_val == StreamSplitter::ABORT)
         session_data->abort_flow[source_id] = true;
 
@@ -161,7 +164,10 @@ const StreamBuffer Http2StreamSplitter::reassemble(Flow* flow, unsigned total, u
     if (session_data->payload_discard[source_id])
     {
         if (flags & PKT_PDU_TAIL)
+        {
             session_data->payload_discard[source_id] = false;
+            session_data->bytes_scanned[source_id] = 0;
+        }
 
 #ifdef REG_TEST
         if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP2))
diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
index 6175dab86..f420af5e8 100644
--- a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
+++ b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
@@ -386,7 +386,7 @@ const StreamBuffer Http2StreamSplitter::implement_reassemble(Http2FlowData* sess
 
     StreamBuffer frame_buf { nullptr, 0 };
 
-    if ( total > MAX_OCTETS || offset+len > total)
+    if ( offset+len > total || total != session_data->bytes_scanned[source_id])
     {
          assert(false);
          session_data->abort_flow[source_id] = true;
@@ -532,6 +532,7 @@ const StreamBuffer Http2StreamSplitter::implement_reassemble(Http2FlowData* sess
             // but don't create pkt_data buffer
             frame_buf.data = (const uint8_t*)"";
         }
+        session_data->bytes_scanned[source_id] = 0;
     }
 
     return frame_buf;