aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http2: forbid data on stream 0

Browse Source 
Ticket: 7658

Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.

RFC 9113 section 6.1 states:

If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
 of type PROTOCOL_ERROR.
pull/13573/head
Philippe Antoine 7 months ago committed by Victor Julien
parent 116d1763d9
commit 1d6d331752
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File

1
rules/http2-events.rules
Unescape Escape View File

@ -23,3 +23,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:esta
alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;) alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 dns request too long"; flow:established,to_server; app-layer-event:http2.dns_request_too_long; classtype:protocol-command-decode; sid:2290016; rev:1;) alert http2 any any -> any any (msg:"SURICATA HTTP2 dns request too long"; flow:established,to_server; app-layer-event:http2.dns_request_too_long; classtype:protocol-command-decode; sid:2290016; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 dns response too long"; flow:established,to_client; app-layer-event:http2.dns_response_too_long; classtype:protocol-command-decode; sid:2290017; rev:1;) alert http2 any any -> any any (msg:"SURICATA HTTP2 dns response too long"; flow:established,to_client; app-layer-event:http2.dns_response_too_long; classtype:protocol-command-decode; sid:2290017; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 data on stream zero"; flow:established; app-layer-event:http2.data_stream_zero; classtype:protocol-command-decode; sid:2290018; rev:1;)

5
rust/src/http2/http2.rs
Unescape Escape View File

@ -528,6 +528,7 @@ pub enum HTTP2Event {
ReassemblyLimitReached, ReassemblyLimitReached,
DnsRequestTooLong, DnsRequestTooLong,
DnsResponseTooLong, DnsResponseTooLong,
DataStreamZero,
} }
pub struct HTTP2DynTable { pub struct HTTP2DynTable {
@ -1248,7 +1249,9 @@ impl HTTP2State {
data: txdata, data: txdata,
}); });
} }
if ftype == parser::HTTP2FrameType::Data as u8 { if ftype == parser::HTTP2FrameType::Data as u8 && sid == 0 {
tx.tx_data.set_event(HTTP2Event::DataStreamZero as u8);
} else if ftype == parser::HTTP2FrameType::Data as u8 && sid > 0 {
match unsafe { SURICATA_HTTP2_FILE_CONFIG } { match unsafe { SURICATA_HTTP2_FILE_CONFIG } {
Some(sfcm) => { Some(sfcm) => {
//borrow checker forbids to reuse directly tx //borrow checker forbids to reuse directly tx

Write Preview
Loading…
Cancel
Save