Files
Siddharth Doshi f0deac3787 Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b, https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae, https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2, https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92]

CVE's Fixed:
CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass
CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow
CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic
CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-07-29 20:07:01 -04:00

41 lines
1.4 KiB
Diff

From 4026bca7f04c419dd3f3ba17a1af17bbcbcf18bc Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 17 May 2024 09:39:52 +0200
Subject: [PATCH 4/4] http: fix nul deref on memcap reached
HttpRangeOpenFileAux may return NULL in different cases, including
when memcap is reached.
But is only caller did not check it before calling HttpRangeAppendData
which would dereference the NULL value.
Ticket: 7029
(cherry picked from commit fd262df457f67f2174752dd6505ba2ed5911fd96)
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92]
CVE: CVE-2024-38536
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
src/app-layer-htp-range.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/app-layer-htp-range.c b/src/app-layer-htp-range.c
index 3cdde35..f0d75a9 100644
--- a/src/app-layer-htp-range.c
+++ b/src/app-layer-htp-range.c
@@ -351,8 +351,10 @@ static HttpRangeContainerBlock *HttpRangeOpenFile(HttpRangeContainerFile *c, uin
{
HttpRangeContainerBlock *r =
HttpRangeOpenFileAux(c, start, end, total, sbcfg, name, name_len, flags);
- if (HttpRangeAppendData(sbcfg, r, data, len) < 0) {
- SCLogDebug("Failed to append data while opening");
+ if (r) {
+ if (HttpRangeAppendData(sbcfg, r, data, len) < 0) {
+ SCLogDebug("Failed to append data while opening");
+ }
}
return r;
}
--
2.44.0