Merge remote-tracking branch 'origin/topic/awelzel/http-content-range-parsing-robustness'

* origin/topic/awelzel/http-content-range-parsing-robustness:
  HTTP: Make Content-Range parsing more robust

CHANGES

@@ -1,3 +1,17 @@
+6.0.0-dev.199 | 2023-03-13 18:40:15 +0100
+
+  * GH-2851: HTTP: Make Content-Range parsing more robust (Arne Welzel, Corelight)
+
+    This was exposed by OSS-Fuzz after the HTTP/0.9 changes in zeek/zeek#2851:
+    We do not check the result of parsing the from and last bytes of a
+    Content-Range header and would reference uninitialized values on the stack
+    if these were not valid.
+
+    This doesn't seem as bad as it sounds outside of yielding non-sensible values:
+    If the result was negative, we weird/bailed. If the result was positive, we
+    already had to treat it with suspicion anyway and the SetPlainDelivery()
+    logic accounts for that.
+
 6.0.0-dev.197 | 2023-03-13 17:54:02 +0100
 
   * GH-2851: HTTP: Reset reply_message for HTTP/0.9 (Arne Welzel, Corelight)

VERSION

@@ -1 +1 @@
-6.0.0-dev.197
+6.0.0-dev.199

src/analyzer/protocol/http/HTTP.cc

@@ -425,8 +425,14 @@ void HTTP_Entity::SubmitHeader(analyzer::mime::MIME_Header* h)
 			          first_byte_pos.c_str(), last_byte_pos.c_str(), instance_length_str.c_str());
 
 		int64_t f, l;
-		util::atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), nullptr, 10, f);
-		util::atoi_n(last_byte_pos.size(), last_byte_pos.c_str(), nullptr, 10, l);
+		int fr = util::atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), nullptr, 10, f);
+		int lr = util::atoi_n(last_byte_pos.size(), last_byte_pos.c_str(), nullptr, 10, l);
+		if ( fr != 1 || lr != 1 )
+			{
+			http_message->Weird("HTTP_content_range_cannot_parse");
+			return;
+			}
+
 		int64_t len = l - f + 1;
 
 		if ( DEBUG_http )

testing/btest/Baseline/scripts.base.protocols.http.bad-content-range/http.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	42226	127.0.0.1	8080	1	GET	localhost:8080	/	-	1.1	curl/7.74.0	-	0	16	206	Partial Content	-	-	(empty)	-	-	-	-	-	-	FMJdmJBUqlAAHLXAd	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.http.bad-content-range/weird.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	42226	127.0.0.1	8080	HTTP_content_range_cannot_parse	-	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/protocols/http/bad-content-range.zeek

@@ -0,0 +1,3 @@
+# @TEST-EXEC: zeek -b base/protocols/http -r $TRACES/http/http-bad-content-range-01.pcap
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log