Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

HTTP: Reset reply_message for HTTP/0.9

Browse source 
OSS-Fuzz tickled an assert when sending a HTTP response before a HTTP/0.9
request. Avoid this by resetting reply_message upon seeing a HTTP/0.9 request.

PCAP was generated artificially: Server sending a reply providing a
Content-Length. Because HTTP/0.9 processing would remove the ContentLine
support analyzer, more data was delivered to the HTTP_Message than
expected, triggering an assert.

This is a follow-up for zeek/zeek#2851.
This commit is contained in:
Arne Welzel 2023-03-13 10:47:34 +01:00
parent c5a9eb920c
commit fbf9d53c44
5 changed files with 45 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/analyzer/protocol/http/HTTP.cc
View file

@ -987,6 +987,20 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
if ( request_method->ToStdString() != "GET" )
Weird("invalid_http_09_request_method", request_method->CheckString());
// If we already have a reply_message that means we saw
// an HTTP response before a request and interpreted
// it as HTTP/1.1 already. Reset the state here because
// we're removing the ContentLine support analyzer and
// any assumptions about expected delivery size state
// become invalid.
if ( reply_message )
{
Weird("http_09_reply_before_request");
reply_message->Done();
delete reply_message;
reply_message = nullptr;
}
reply_state = EXPECT_REPLY_HTTP09;
RemoveSupportAnalyzer(content_line_resp);
}