Files
Siddharth Doshi f0deac3787 Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b, https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae, https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2, https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92]

CVE's Fixed:
CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass
CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow
CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic
CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-07-29 20:07:01 -04:00

58 lines
2.4 KiB
Diff

From 6b00dc36d7527f051c2346f03d20f8d9e5a60138 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 17 Jun 2024 16:30:49 +0200
Subject: [PATCH 3/4] http2: do not expand duplicate headers
Ticket: 7104
As this can cause a big mamory allocation due to the quadratic
nature of the HPACK compression.
(cherry picked from commit 5bd17934df321b88f502d48afdd6cc8bad4787a7)
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2]
CVE: CVE-2024-38535
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
rust/src/http2/detect.rs | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs
index 99261ad..9c2f8ab 100644
--- a/rust/src/http2/detect.rs
+++ b/rust/src/http2/detect.rs
@@ -432,11 +432,11 @@ pub fn http2_frames_get_header_value_vec(
if found == 0 {
vec.extend_from_slice(&block.value);
found = 1;
- } else if found == 1 {
+ } else if found == 1 && Rc::strong_count(&block.name) <= 2 {
vec.extend_from_slice(&[b',', b' ']);
vec.extend_from_slice(&block.value);
found = 2;
- } else {
+ } else if Rc::strong_count(&block.name) <= 2 {
vec.extend_from_slice(&[b',', b' ']);
vec.extend_from_slice(&block.value);
}
@@ -469,14 +469,14 @@ fn http2_frames_get_header_value<'a>(
if found == 0 {
single = Ok(&block.value);
found = 1;
- } else if found == 1 {
+ } else if found == 1 && Rc::strong_count(&block.name) <= 2 {
if let Ok(s) = single {
vec.extend_from_slice(s);
}
vec.extend_from_slice(&[b',', b' ']);
vec.extend_from_slice(&block.value);
found = 2;
- } else {
+ } else if Rc::strong_count(&block.name) <= 2 {
vec.extend_from_slice(&[b',', b' ']);
vec.extend_from_slice(&block.value);
}
--
2.44.0