Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix handling of HTTP body length

Browse source 
Partial content bytes range length value and content length value
should not be stored in the same variable. An attacker could override
a given Content-Length or Content-Range with a smaller value to
evade HTTP content.
This commit is contained in:
jbencteux 2018-04-13 14:23:14 +02:00 committed by Jon Siwek
parent 2a01c70837
commit c0cc4ef192
2 changed files with 23 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

23
src/analyzer/protocol/http/HTTP.cc
View file

@ -364,7 +364,19 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
{
int64_t n;
if ( atoi_n(vt.length, vt.data, 0, 10, n) )
{
content_length = n;
if ( is_partial_content && range_length != content_length )
{
// Possible evasion attempt.
http_message->Weird("HTTP_range_not_matching_len");
// Take the maximum of both lengths to avoid evasions.
if ( range_length > content_length )
content_length = range_length;
}
}
else
content_length = 0;
}
@ -432,7 +444,16 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
is_partial_content = true;
offset = f;
content_length = len;
range_length = len;
if ( content_length != 0 && content_length != range_length )
{
// Possible evasion attempt.
http_message->Weird("HTTP_range_not_matching_len");
// Take the maximum of both lengths to avoid evasions.
if ( range_length > content_length )
content_length = range_length;
}
}
else
{