From bf64b52b95d5d95773508d252e97b12b326d5ebd Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 13 May 2026 21:20:54 +0200 Subject: [PATCH] http2: better compression against decompression bombs Ticket: 8513 Suricata decides at 2 levels if a http2 flow is doing a compression bomb. There is a direct computation when one chunk of TCP data is being parsed. In this case, do not take the ratio into account, just use the size of the decompressed data, so that if we get a big chunk of TCP data like 1 MiB, and a not so high ratio of 200, we do not trigger the debug assertion in util-file.c about 64MiB The other case stays unchanged : when accumulating over the lifetile of a flow with multiple txs, take into account the compression ratio, so that a flow of many txs, having a super high (brotli) compression ratio, ends up classified as a compression bomb. (For example, having 100 txs each turning a 100 byte input into a 700 KiB one) --- rust/src/http2/decompression.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rust/src/http2/decompression.rs b/rust/src/http2/decompression.rs index dacc31b131..a7bebf7023 100644 --- a/rust/src/http2/decompression.rs +++ b/rust/src/http2/decompression.rs @@ -146,7 +146,6 @@ fn http2_decompress<'a>( let mut offset = 0; decoder.get_mut().set_position(0); output.resize(HTTP2_DECOMPRESSION_CHUNK_SIZE, 0); - let max_len = DEFAULT_BOMB_RATIO * input.len() as u64; loop { match decoder.read(&mut output[offset..]) { Ok(0) => { @@ -155,8 +154,7 @@ fn http2_decompress<'a>( Ok(n) => { offset += n; if offset == output.len() { - if output.len() + HTTP2_DECOMPRESSION_CHUNK_SIZE > max_len as usize - && output.len() > unsafe { HTTP2_COMPRESSION_BOMB_LIMIT as usize } + if output.len() > unsafe { HTTP2_COMPRESSION_BOMB_LIMIT as usize } { return Err(io::Error::new( io::ErrorKind::OutOfMemory,