mirror of
https://github.com/OISF/suricata.git
synced 2026-05-28 04:32:12 -04:00
http2: better compression against decompression bombs
Some checks failed
builds / Prepare dependencies (push) Waiting to run
builds / Prepare cbindgen (push) Waiting to run
builds / AlmaLinux 10 (schema, plugins) (push) Blocked by required conditions
builds / AlmaLinux 9 (schema, rust-checks) (push) Blocked by required conditions
builds / AlmaLinux 9 Test Templates (push) Blocked by required conditions
builds / Build RPMs (push) Blocked by required conditions
builds / AlmaLinux 8 (push) Blocked by required conditions
builds / CentOS Stream 9 (push) Blocked by required conditions
builds / Fedora 43 (Suricata Verify codecov) (push) Blocked by required conditions
builds / Fedora 43 (clang, debug, asan, wshadow, rust-strict, systemd) (push) Blocked by required conditions
builds / Fedora 43 (gcc, debug, flto, asan, wshadow, rust-strict) (push) Blocked by required conditions
builds / Fedora (non-root, debug, clang, asan, wshadow, rust-strict, no-ja) (push) Blocked by required conditions
builds / AlmaLinux 9 (no jansson) (push) Blocked by required conditions
builds / AlmaLinux 9 (Minimal/Recommended Build) (push) Blocked by required conditions
builds / Ubuntu 24.04 (cocci) (push) Blocked by required conditions
builds / Ubuntu 24.04 (RUSTC+CARGO vars) (push) Blocked by required conditions
builds / Ubuntu 24.04 (unittests coverage) (push) Blocked by required conditions
builds / Ubuntu 24.04 (unix socket mode coverage) (push) Blocked by required conditions
builds / Ubuntu 24.04 (afpacket and dpdk coverage) (push) Blocked by required conditions
builds / Ubuntu 24.04 (pcap unix socket ASAN) (push) Blocked by required conditions
builds / Ubuntu 24.04 (afpacket IPS tests in namespaces) (push) Blocked by required conditions
builds / Ubuntu 24.04 (afpacket and dpdk live tests with ASAN) (push) Blocked by required conditions
builds / Ubuntu 24.04 (fuzz corpus coverage) (push) Blocked by required conditions
builds / Ubuntu 20.04 (-DNDEBUG) (push) Blocked by required conditions
builds / Ubuntu 20.04 (unsupported rust) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Debug Validation) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Fuzz) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Netmap build) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Minimal/Recommended Build) (push) Blocked by required conditions
builds / Ubuntu 22.04 (DPDK Build) (push) Blocked by required conditions
builds / Debian 12 (xdp) (push) Blocked by required conditions
builds / Debian 13 (xdp) (push) Blocked by required conditions
builds / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
builds / Debian 12 MSRV (push) Blocked by required conditions
builds / Debian 11 (push) Blocked by required conditions
builds / MacOS Latest (push) Blocked by required conditions
builds / FreeBSD 15.0 (push) Blocked by required conditions
builds / Windows MSYS2 MINGW64 (NPcap) (push) Blocked by required conditions
builds / Windows MSYS2 MINGW64 (libpcap) (push) Blocked by required conditions
builds / Windows MSYS2 UCRT64 (libpcap) (push) Blocked by required conditions
builds / Windows MSYS2 MINGW64 (WinDivert) (push) Blocked by required conditions
builds / PF_RING (push) Blocked by required conditions
CodeQL (Rust/C) / Analyze (push) Waiting to run
docs / Prepare dependencies (push) Waiting to run
docs / Prepare cbindgen (push) Waiting to run
docs / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Nix Env Build / tests (push) Waiting to run
Scan-build / Scan-build (push) Waiting to run
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
CodeQL (Python) / Analyze (push) Has been cancelled
Some checks failed
builds / Prepare dependencies (push) Waiting to run
builds / Prepare cbindgen (push) Waiting to run
builds / AlmaLinux 10 (schema, plugins) (push) Blocked by required conditions
builds / AlmaLinux 9 (schema, rust-checks) (push) Blocked by required conditions
builds / AlmaLinux 9 Test Templates (push) Blocked by required conditions
builds / Build RPMs (push) Blocked by required conditions
builds / AlmaLinux 8 (push) Blocked by required conditions
builds / CentOS Stream 9 (push) Blocked by required conditions
builds / Fedora 43 (Suricata Verify codecov) (push) Blocked by required conditions
builds / Fedora 43 (clang, debug, asan, wshadow, rust-strict, systemd) (push) Blocked by required conditions
builds / Fedora 43 (gcc, debug, flto, asan, wshadow, rust-strict) (push) Blocked by required conditions
builds / Fedora (non-root, debug, clang, asan, wshadow, rust-strict, no-ja) (push) Blocked by required conditions
builds / AlmaLinux 9 (no jansson) (push) Blocked by required conditions
builds / AlmaLinux 9 (Minimal/Recommended Build) (push) Blocked by required conditions
builds / Ubuntu 24.04 (cocci) (push) Blocked by required conditions
builds / Ubuntu 24.04 (RUSTC+CARGO vars) (push) Blocked by required conditions
builds / Ubuntu 24.04 (unittests coverage) (push) Blocked by required conditions
builds / Ubuntu 24.04 (unix socket mode coverage) (push) Blocked by required conditions
builds / Ubuntu 24.04 (afpacket and dpdk coverage) (push) Blocked by required conditions
builds / Ubuntu 24.04 (pcap unix socket ASAN) (push) Blocked by required conditions
builds / Ubuntu 24.04 (afpacket IPS tests in namespaces) (push) Blocked by required conditions
builds / Ubuntu 24.04 (afpacket and dpdk live tests with ASAN) (push) Blocked by required conditions
builds / Ubuntu 24.04 (fuzz corpus coverage) (push) Blocked by required conditions
builds / Ubuntu 20.04 (-DNDEBUG) (push) Blocked by required conditions
builds / Ubuntu 20.04 (unsupported rust) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Debug Validation) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Fuzz) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Netmap build) (push) Blocked by required conditions
builds / Ubuntu 22.04 (Minimal/Recommended Build) (push) Blocked by required conditions
builds / Ubuntu 22.04 (DPDK Build) (push) Blocked by required conditions
builds / Debian 12 (xdp) (push) Blocked by required conditions
builds / Debian 13 (xdp) (push) Blocked by required conditions
builds / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
builds / Debian 12 MSRV (push) Blocked by required conditions
builds / Debian 11 (push) Blocked by required conditions
builds / MacOS Latest (push) Blocked by required conditions
builds / FreeBSD 15.0 (push) Blocked by required conditions
builds / Windows MSYS2 MINGW64 (NPcap) (push) Blocked by required conditions
builds / Windows MSYS2 MINGW64 (libpcap) (push) Blocked by required conditions
builds / Windows MSYS2 UCRT64 (libpcap) (push) Blocked by required conditions
builds / Windows MSYS2 MINGW64 (WinDivert) (push) Blocked by required conditions
builds / PF_RING (push) Blocked by required conditions
CodeQL (Rust/C) / Analyze (push) Waiting to run
docs / Prepare dependencies (push) Waiting to run
docs / Prepare cbindgen (push) Waiting to run
docs / Ubuntu 22.04 Dist Builder (push) Blocked by required conditions
Nix Env Build / tests (push) Waiting to run
Scan-build / Scan-build (push) Waiting to run
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
CodeQL (Python) / Analyze (push) Has been cancelled
Ticket: 8513 Suricata decides at 2 levels if a http2 flow is doing a compression bomb. There is a direct computation when one chunk of TCP data is being parsed. In this case, do not take the ratio into account, just use the size of the decompressed data, so that if we get a big chunk of TCP data like 1 MiB, and a not so high ratio of 200, we do not trigger the debug assertion in util-file.c about 64MiB The other case stays unchanged : when accumulating over the lifetile of a flow with multiple txs, take into account the compression ratio, so that a flow of many txs, having a super high (brotli) compression ratio, ends up classified as a compression bomb. (For example, having 100 txs each turning a 100 byte input into a 700 KiB one)
This commit is contained in:
Philippe Antoine
Victor Julien
parent
9aaa6f7854
commit
bf64b52b95
1 changed files with 1 additions and 3 deletions
|
|
@ -146,7 +146,6 @@ fn http2_decompress<'a>(
|
|||
let mut offset = 0;
|
||||
decoder.get_mut().set_position(0);
|
||||
output.resize(HTTP2_DECOMPRESSION_CHUNK_SIZE, 0);
|
||||
let max_len = DEFAULT_BOMB_RATIO * input.len() as u64;
|
||||
loop {
|
||||
match decoder.read(&mut output[offset..]) {
|
||||
Ok(0) => {
|
||||
|
|
@ -155,8 +154,7 @@ fn http2_decompress<'a>(
|
|||
Ok(n) => {
|
||||
offset += n;
|
||||
if offset == output.len() {
|
||||
if output.len() + HTTP2_DECOMPRESSION_CHUNK_SIZE > max_len as usize
|
||||
&& output.len() > unsafe { HTTP2_COMPRESSION_BOMB_LIMIT as usize }
|
||||
if output.len() > unsafe { HTTP2_COMPRESSION_BOMB_LIMIT as usize }
|
||||
{
|
||||
return Err(io::Error::new(
|
||||
io::ErrorKind::OutOfMemory,
|
||||
|
|
|
|||
Loading…
Reference in a new issue