From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Mon, 2 Apr 2018 19:11:31 +0000 (-0400)
Subject: Merge pull request #1172 in SNORT/snort3 from nhttp99 to master
X-Git-Tag: 3.0.0-245~56
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fd416adbd4c3b2bd4929be8b47902468695e7d1e;p=thirdparty%2Fsnort3.git

Merge pull request #1172 in SNORT/snort3 from nhttp99 to master

Squashed commit of the following:

commit c368a000d0bc4b4844c9b4716675d00dee49bd77
Author: Tom Peters <thopeter@cisco.com>
Date:   Fri Mar 30 15:12:07 2018 -0400

    http_inspect: bugfix and new alert for gzip underrun
---

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index b21f4232e..e4622c2c6 100644
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -345,6 +345,7 @@ enum EventSid
     EVENT_206_WITHOUT_RANGE,
     EVENT_VERSION_NOT_UPPERCASE,
     EVENT_BAD_HEADER_WHITESPACE,
+    EVENT_GZIP_EARLY_END,                  // 99
     EVENT__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc
index e5cbca2bc..30480a349 100644
--- a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc
@@ -159,11 +159,11 @@ void HttpStreamSplitter::decompress_copy(uint8_t* buffer, uint32_t& offset, cons
                 {
                     // The zipped data stream ended but there is more input data
                     *infractions += INF_GZIP_EARLY_END;
-                    events->create_event(EVENT_GZIP_FAILURE);
+                    events->create_event(EVENT_GZIP_EARLY_END);
                     const uInt num_copy =
                         (compress_stream->avail_in <= compress_stream->avail_out) ?
                         compress_stream->avail_in : compress_stream->avail_out;
-                    memcpy(buffer + offset, data, num_copy);
+                    memcpy(buffer + offset, data + (length - compress_stream->avail_in), num_copy);
                     offset += num_copy;
                 }
                 else
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index 71c3385eb..0273ffcac 100644
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -381,6 +381,8 @@ const snort::RuleMap HttpModule::http_events[] =
     { EVENT_206_WITHOUT_RANGE,          "206 response sent to a request without a Range header" },
     { EVENT_VERSION_NOT_UPPERCASE,      "'HTTP' in version field not all upper case" },
     { EVENT_BAD_HEADER_WHITESPACE,      "white space embedded in critical header value" },
+    { EVENT_GZIP_EARLY_END,             "gzip compressed data followed by unexpected non-gzip "
+                                        "data" },
     { 0, nullptr }
 };