From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Mon, 19 Mar 2018 15:42:08 +0000 (-0400)
Subject: Merge pull request #1145 in SNORT/snort3 from nhttp97 to master
X-Git-Tag: 3.0.0-245~83
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=485fae9e477ec1d339c94da9eb67d8a68ef1d4b6;p=thirdparty%2Fsnort3.git

Merge pull request #1145 in SNORT/snort3 from nhttp97 to master

Squashed commit of the following:

commit 65e2d678acbf482c66abb5e869a40478c9696c33
Author: Tom Peters <thopeter@cisco.com>
Date:   Mon Mar 12 17:32:30 2018 -0400

    http_inspect: handling of run-to-connection-close bodies beyond depth
---

diff --git a/doc/ftp.txt b/doc/ftp.txt
index 7b6390266..618966c6a 100644
--- a/doc/ftp.txt
+++ b/doc/ftp.txt
@@ -131,8 +131,7 @@ While not part of an established standard, certain FTP servers accept
 MDTM commands that set the modification time on a file.  The most common
 among servers that do, accept a format using YYYYMMDDHHmmss[.uuu].  Some
 others accept a format using YYYYMMDDHHmmss[+|-]TZ format.  The example
-above is for the first case (time format as specified in
-https://tools.ietf.org/html/draft-ietf-ftpext-mlst-16)
+above is for the first case.
 
 To check validity for a server that uses the TZ format, use the following:
 
diff --git a/src/service_inspectors/http_inspect/http_cutter.cc b/src/service_inspectors/http_inspect/http_cutter.cc
index 85c49eddf..78a31a5ba 100644
--- a/src/service_inspectors/http_inspect/http_cutter.cc
+++ b/src/service_inspectors/http_inspect/http_cutter.cc
@@ -288,14 +288,18 @@ ScanResult HttpBodyClCutter::cut(const uint8_t*, uint32_t length, HttpInfraction
     }
 }
 
-ScanResult HttpBodyOldCutter::cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*,
+ScanResult HttpBodyOldCutter::cut(const uint8_t*, uint32_t length, HttpInfractions*, HttpEventGen*,
     uint32_t flow_target, uint32_t)
 {
     if (flow_target == 0)
     {
-        // With other types of body we could skip to the next message now. But this body will run
-        // to connection close so we just stop.
-        return SCAN_END;
+        // FIXIT-P Need StreamSplitter::END
+        // With other types of body we would skip to the trailers and/or next message now. But this
+        // will run to connection close so we should just stop processing this flow. But there is
+        // no way to ask stream to do that so we must skip through the rest of the message
+        // ourselves.
+        num_flush = length;
+        return SCAN_DISCARD_PIECE;
     }
 
     num_flush = flow_target;
diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index 0bd4c98ae..01afd9f78 100644
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -68,7 +68,7 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES
 
 // Result of scanning by splitter
 enum ScanResult { SCAN_NOTFOUND, SCAN_FOUND, SCAN_FOUND_PIECE, SCAN_DISCARD, SCAN_DISCARD_PIECE,
-    SCAN_ABORT, SCAN_END };
+    SCAN_ABORT };
 
 // State machine for chunk parsing
 enum ChunkState { CHUNK_NEWLINES, CHUNK_ZEROS, CHUNK_LEADING_WS, CHUNK_NUMBER, CHUNK_TRAILING_WS,
@@ -122,7 +122,7 @@ enum HeaderId { HEAD__NOT_COMPUTE=-14, HEAD__PROBLEMATIC=-12, HEAD__NOT_PRESENT=
     HEAD_WWW_AUTHENTICATE, HEAD_ALLOW, HEAD_CONTENT_ENCODING, HEAD_CONTENT_LANGUAGE,
     HEAD_CONTENT_LENGTH, HEAD_CONTENT_LOCATION, HEAD_CONTENT_MD5, HEAD_CONTENT_RANGE,
     HEAD_CONTENT_TYPE, HEAD_EXPIRES, HEAD_LAST_MODIFIED, HEAD_X_FORWARDED_FOR, HEAD_TRUE_CLIENT_IP,
-    HEAD_X_WORKING_WITH, HEAD_CONTENT_TRANSFER_ENCODING, HEAD_MIME_VERSION,
+    HEAD_X_WORKING_WITH, HEAD_CONTENT_TRANSFER_ENCODING, HEAD_MIME_VERSION, HEAD_PROXY_AGENT,
     HEAD__MAX_VALUE };
 
 // All the infractions we might find while parsing and analyzing a message
diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
index e20a6faac..9959593c9 100644
--- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
@@ -188,7 +188,6 @@ StreamSplitter::Status HttpStreamSplitter::scan(Flow* flow, const uint8_t* data,
 #endif
         return StreamSplitter::SEARCH;
     case SCAN_ABORT:
-    case SCAN_END: // FIXIT-H need StreamSplitter::END
         session_data->type_expected[source_id] = SEC_ABORT;
         delete cutter;
         cutter = nullptr;
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index abb1d6447..34ad981fc 100644
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -135,6 +135,7 @@ const StrCode HttpMsgHeadShared::header_list[] =
     { HEAD_X_WORKING_WITH,            "x-working-with" },
     { HEAD_CONTENT_TRANSFER_ENCODING, "content-transfer-encoding" },
     { HEAD_MIME_VERSION,              "mime-version" },
+    { HEAD_PROXY_AGENT,               "proxy-agent" },
     { 0,                              nullptr }
 };
 
@@ -270,6 +271,7 @@ const HeaderNormalizer* const HttpMsgHeadShared::header_norms[HEAD__MAX_VALUE] =
     [HEAD_X_WORKING_WITH] = &NORMALIZER_BASIC,
     [HEAD_CONTENT_TRANSFER_ENCODING] = &NORMALIZER_TOKEN_LIST,
     [HEAD_MIME_VERSION] = &NORMALIZER_BASIC,
+    [HEAD_PROXY_AGENT] = &NORMALIZER_BASIC,
 };
 /* *INDENT-ON* */