From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 15 Apr 2025 10:34:37 +0000 (+0200)
Subject: http2: forbid data on stream 0
X-Git-Tag: suricata-7.0.11~3
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=97eee2cadacf3423a1ebcdd1943a7a7917f5cc56;p=thirdparty%2Fsuricata.git

http2: forbid data on stream 0

Ticket: 7658

Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.

RFC 9113 section 6.1 states:

If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
 of type PROTOCOL_ERROR.

(cherry picked from commit 1d6d331752e933c46aca0ae7a9679b27462246e3)
---

diff --git a/rules/http2-events.rules b/rules/http2-events.rules
index 413fdd652c..8242e2f79e 100644
--- a/rules/http2-events.rules
+++ b/rules/http2-events.rules
@@ -21,3 +21,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:esta
 alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 data on stream zero"; flow:established; app-layer-event:http2.data_stream_zero; classtype:protocol-command-decode; sid:2290018; rev:1;)
diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
index 20b7cd9474..a79a33c8ed 100644
--- a/rust/src/http2/http2.rs
+++ b/rust/src/http2/http2.rs
@@ -409,6 +409,7 @@ pub enum HTTP2Event {
     AuthorityHostMismatch,
     UserinfoInUri,
     ReassemblyLimitReached,
+    DataStreamZero,
 }
 
 pub struct HTTP2DynTable {
@@ -1078,7 +1079,9 @@ impl HTTP2State {
                             data: txdata,
                         });
                     }
-                    if ftype == parser::HTTP2FrameType::Data as u8 {
+                    if ftype == parser::HTTP2FrameType::Data as u8 && sid == 0 {
+                        tx.tx_data.set_event(HTTP2Event::DataStreamZero as u8);
+                    } else if ftype == parser::HTTP2FrameType::Data as u8 && sid > 0 {
                         match unsafe { SURICATA_HTTP2_FILE_CONFIG } {
                             Some(sfcm) => {
                                 //borrow checker forbids to reuse directly tx