aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lua: fix null dereference in tx HTTP accessor functions

Browse Source 
Fix crashes in Lua when calling tx:response_line(), tx:request_line(),
tx:request_uri_raw(), or tx:request_host() on incomplete or malformed
HTTP transactions.

These functions return bstr pointers which may be NULL. Add NULL
checks before calling bstr_ptr() and bstr_len() to avoid segfaults.

Ticket: #7829
pull/13894/head
Cheng Longfei 4 months ago committed by Victor Julien
parent 48972d544c
commit 9fb33bbaf6
1 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File

35
src/util-lua-http.c
Unescape Escape View File

@ -23,7 +23,6 @@
*/ */
#include "suricata-common.h" #include "suricata-common.h"
#include "app-layer-htp.h" #include "app-layer-htp.h"
#include "util-lua.h" #include "util-lua.h"
#include "util-lua-common.h" #include "util-lua-common.h"
@ -65,9 +64,13 @@ static int LuaHttpGetRequestHost(lua_State *luastate)
lua_pushnil(luastate); lua_pushnil(luastate);
return 1; return 1;
} }
const struct bstr *host = htp_tx_request_hostname(tx->tx);
if (host == NULL) {
lua_pushnil(luastate);
return 1;
}
return LuaPushStringBuffer(luastate, bstr_ptr(htp_tx_request_hostname(tx->tx)), return LuaPushStringBuffer(luastate, bstr_ptr(host), bstr_len(host));
bstr_len(htp_tx_request_hostname(tx->tx)));
} }
static int LuaHttpGetRequestUriRaw(lua_State *luastate) static int LuaHttpGetRequestUriRaw(lua_State *luastate)
@ -77,9 +80,13 @@ static int LuaHttpGetRequestUriRaw(lua_State *luastate)
lua_pushnil(luastate); lua_pushnil(luastate);
return 1; return 1;
} }
const struct bstr *uri = htp_tx_request_uri(tx->tx);
if (uri == NULL) {
lua_pushnil(luastate);
return 1;
}
return LuaPushStringBuffer( return LuaPushStringBuffer(luastate, bstr_ptr(uri), bstr_len(uri));
luastate, bstr_ptr(htp_tx_request_uri(tx->tx)), bstr_len(htp_tx_request_uri(tx->tx)));
} }
static int LuaHttpGetRequestUriNormalized(lua_State *luastate) static int LuaHttpGetRequestUriNormalized(lua_State *luastate)
@ -107,8 +114,13 @@ static int LuaHttpGetRequestLine(lua_State *luastate)
return 1; return 1;
} }
return LuaPushStringBuffer( const struct bstr *line = htp_tx_request_line(tx->tx);
luastate, bstr_ptr(htp_tx_request_line(tx->tx)), bstr_len(htp_tx_request_line(tx->tx))); if (line == NULL) {
lua_pushnil(luastate);
return 1;
}
return LuaPushStringBuffer(luastate, bstr_ptr(line), bstr_len(line));
} }
static int LuaHttpGetResponseLine(lua_State *luastate) static int LuaHttpGetResponseLine(lua_State *luastate)
@ -119,8 +131,13 @@ static int LuaHttpGetResponseLine(lua_State *luastate)
return 1; return 1;
} }
return LuaPushStringBuffer(luastate, bstr_ptr(htp_tx_response_line(tx->tx)), const struct bstr *line = htp_tx_response_line(tx->tx);
bstr_len(htp_tx_response_line(tx->tx))); if (line == NULL) {
lua_pushnil(luastate);
return 1;
}
return LuaPushStringBuffer(luastate, bstr_ptr(line), bstr_len(line));
} }
static int LuaHttpGetHeader(lua_State *luastate, int dir) static int LuaHttpGetHeader(lua_State *luastate, int dir)

Write Preview
Loading…
Cancel
Save