fix handling of HTTP body length

Partial content bytes range length value and content length value
should not be stored in the same variable. An attacker could override
a given Content-Length or Content-Range with a smaller value to
evade HTTP content.

src/analyzer/protocol/http/HTTP.cc

@@ -364,7 +364,19 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 			{
 			int64_t n;
 			if ( atoi_n(vt.length, vt.data, 0, 10, n) )
+				{
 				content_length = n;
+
+				if ( is_partial_content && range_length != content_length )
+					{
+					// Possible evasion attempt.
+					http_message->Weird("HTTP_range_not_matching_len");
+
+					// Take the maximum of both lengths to avoid evasions.
+					if ( range_length > content_length )
+						content_length = range_length;
+					}
+				}
 			else
 				content_length = 0;
 			}
@@ -432,7 +444,16 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 
 			is_partial_content = true;
 			offset = f;
-			content_length = len;
+			range_length = len;
+			if ( content_length != 0 && content_length != range_length )
+				{
+				// Possible evasion attempt.
+				http_message->Weird("HTTP_range_not_matching_len");
+
+				// Take the maximum of both lengths to avoid evasions.
+				if ( range_length > content_length )
+					content_length = range_length;
+				}
 			}
 		else
 			{

src/analyzer/protocol/http/HTTP.h

@@ -55,6 +55,7 @@ protected:
 	HTTP_Message* http_message;
 	int chunked_transfer_state;
 	int64_t content_length;
+	int64_t range_length;
 	int64_t expect_data_length;
 	int expect_body;
 	int64_t body_length;