range: validity check when end is bigger than size

Ticket: 5132 Down the line, HttpRangeOpenFileAux assumes the range has a valid value when doing buflen = end - start + 1;
3 years ago · bfcd6cb46a
parent 14b21de306
commit bfcd6cb46a
2 changed files with 2 additions and 2 deletions
--- a/rust/src/http2/range.rs
+++ b/rust/src/http2/range.rs
@ -77,7 +77,7 @@ fn http2_parse_content_range<'a>(input: &'a [u8]) -> IResult<&'a [u8], HTTPConte

 pub fn http2_parse_check_content_range<'a>(input: &'a [u8]) -> IResult<&'a [u8], HTTPContentRange> {
    let (rem, v) = http2_parse_content_range(input)?;
-    if v.start > v.end {
+    if v.start > v.end || (v.end > 0 && v.size > 0 && v.end > v.size - 1) {
        return Err(Err::Error(make_error(rem, ErrorKind::Verify)));
    }
    return Ok((rem, v));
--- a/src/app-layer-htp-file.c
+++ b/src/app-layer-htp-file.c
@ -196,7 +196,7 @@ static int HTPParseAndCheckContentRange(
    } else if (range->end == range->size - 1 && range->start == 0) {
        SCLogDebug("range without all information");
        return -3;
-    } else if (range->start > range->end) {
+    } else if (range->start > range->end || range->end > range->size - 1) {
        AppLayerDecoderEventsSetEventRaw(&htud->tx_data.events, HTTP_DECODER_EVENT_RANGE_INVALID);
        s->events++;
        SCLogDebug("invalid range");