libhtp: fix CVE-2024-45797scarthgap

Upstream-Status: Backport from https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2024-10-18 11:01:18 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-11-04 08:17:37 -0500
commit: bc865c5276c2ab4031229916e8d7c20148dfbac3 (patch)
tree: 6ab59d528ca168fffc4df1ca61304784adc93674
parent: 459d837338ca230254baa2994f870bf6eb9d0139 (diff)
download: meta-security-scarthgap.tar.gz
2 files changed, 151 insertions, 1 deletions
diff --git a/recipes-ids/suricata/files/CVE-2024-45797.patch b/recipes-ids/suricata/files/CVE-2024-45797.patch
new file mode 100644
index 0000000..3db4625
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2024-45797.patch
@@ -0,0 +1,148 @@
+From 0d550de551b91d5e57ba23e2b1e2c6430fad6818 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <contact@catenacyber.fr>
+Date: Mon, 12 Aug 2024 14:06:40 +0200
+Subject: [PATCH] headers: put a configurable limit on their numbers
+So as to avoid quadratic complexity
+Ticket: 7191
+Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818]
+CVE: CVE-2024-45797
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ htp/htp_config.c           |  8 ++++++++
+ htp/htp_config.h           |  8 ++++++++
+ htp/htp_config_private.h   |  6 ++++++
+ htp/htp_core.h             |  1 +
+ htp/htp_request_generic.c  | 11 +++++++++++
+ htp/htp_response_generic.c | 10 ++++++++++
+ 6 files changed, 44 insertions(+)
+diff --git a/htp/htp_config.c b/htp/htp_config.c
+index 767458f..9e0eee3 100644
+--- a/htp/htp_config.c
+++ b/htp/htp_config.c
+@@ -145,6 +145,8 @@ static unsigned char bestfit_1252[] = {
+     0xff, 0x5d, 0x7d, 0xff, 0x5e, 0x7e, 0x00, 0x00, 0x00
+ };
+ 
+#define HTP_HEADERS_LIMIT 1024
+
+ htp_cfg_t *htp_config_create(void) {
+     htp_cfg_t *cfg = calloc(1, sizeof (htp_cfg_t));
+     if (cfg == NULL) return NULL;
+@@ -163,6 +165,7 @@ htp_cfg_t *htp_config_create(void) {
+     cfg->response_lzma_layer_limit = 1; // default is only one layer
+     cfg->compression_bomb_limit = HTP_COMPRESSION_BOMB_LIMIT;
+     cfg->compression_time_limit = HTP_COMPRESSION_TIME_LIMIT_USEC;
+    cfg->number_headers_limit = HTP_HEADERS_LIMIT;
+     cfg->allow_space_uri = 0;
+ 
+     // Default settings for URL-encoded data.
+@@ -542,6 +545,11 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit) {
+     }
+ }
+ 
+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit) {
+    if (cfg == NULL) return;
+    cfg->number_headers_limit = limit;
+}
+
+ void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level) {
+     if (cfg == NULL) return;
+     cfg->log_level = log_level;
+diff --git a/htp/htp_config.h b/htp/htp_config.h
+index d1365dc..ed0eaeb 100644
+--- a/htp/htp_config.h
+++ b/htp/htp_config.h
+@@ -466,6 +466,14 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit);
+  */
+ void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level);
+ 
+/**
+ * Configures the maximum number of headers LibHTP will accept per request or response.
+ *
+ * @param[in] cfg
+ * @param[in] limit
+ */
+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit);
+
+ /**
+  * Configures how the server reacts to encoded NUL bytes. Some servers will stop at
+  * at NUL, while some will respond with 400 or 404. When the termination option is not
+diff --git a/htp/htp_config_private.h b/htp/htp_config_private.h
+index 5f1d60d..ecc8717 100644
+--- a/htp/htp_config_private.h
+++ b/htp/htp_config_private.h
+@@ -360,6 +360,12 @@ struct htp_cfg_t {
+ 
+     /** Whether to decompress compressed request bodies. */
+     int request_decompression_enabled;
+
+    /** Maximum number of transactions. */
+    uint32_t max_tx;
+
+    /** Maximum number of headers. */
+    uint32_t number_headers_limit;
+ };
+ 
+ #ifdef __cplusplus
+diff --git a/htp/htp_core.h b/htp/htp_core.h
+index e4c933e..7c23212 100644
+--- a/htp/htp_core.h
+++ b/htp/htp_core.h
+@@ -235,6 +235,7 @@ enum htp_file_source_t {
+ #define HTP_REQUEST_INVALID                0x100000000ULL
+ #define HTP_REQUEST_INVALID_C_L            0x200000000ULL
+ #define HTP_AUTH_INVALID                   0x400000000ULL
+#define HTP_HEADERS_TOO_MANY               0x800000000ULL
+ 
+ #define HTP_MAX_HEADERS_REPETITIONS 64
+ 
+diff --git a/htp/htp_request_generic.c b/htp/htp_request_generic.c
+index 435cf0a..1350e57 100644
+--- a/htp/htp_request_generic.c
+++ b/htp/htp_request_generic.c
+@@ -120,6 +120,17 @@ htp_status_t htp_process_request_header_generic(htp_connp_t *connp, unsigned cha
+         bstr_free(h->value);
+         free(h);
+     } else {
+        if (htp_table_size(connp->in_tx->request_headers) > connp->cfg->number_headers_limit) {
+            if (!(connp->in_tx->flags & HTP_HEADERS_TOO_MANY)) {
+                connp->in_tx->flags |= HTP_HEADERS_TOO_MANY;
+                htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many request headers");
+            }
+            bstr_free(h->name);
+            bstr_free(h->value);
+            free(h);
+            // give up on what comes next
+            return HTP_ERROR;
+        }
+         // Add as a new header.
+         if (htp_table_add(connp->in_tx->request_headers, h->name, h) != HTP_OK) {
+             bstr_free(h->name);
+diff --git a/htp/htp_response_generic.c b/htp/htp_response_generic.c
+index f5fa59e..69da625 100644
+--- a/htp/htp_response_generic.c
+++ b/htp/htp_response_generic.c
+@@ -321,6 +321,16 @@ htp_status_t htp_process_response_header_generic(htp_connp_t *connp, unsigned ch
+         bstr_free(h->value);
+         free(h);       
+     } else {
+        if (htp_table_size(connp->out_tx->response_headers) > connp->cfg->number_headers_limit) {
+            if (!(connp->out_tx->flags & HTP_HEADERS_TOO_MANY)) {
+                connp->out_tx->flags |= HTP_HEADERS_TOO_MANY;
+                htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many response headers");
+            }
+            bstr_free(h->name);
+            bstr_free(h->value);
+            free(h);
+            return HTP_ERROR;
+        }
+         // Add as a new header.
+         if (htp_table_add(connp->out_tx->response_headers, h->name, h) != HTP_OK) {
+             bstr_free(h->name);
+-- 
+2.25.1
diff --git a/recipes-ids/suricata/libhtp_0.5.45.bb b/recipes-ids/suricata/libhtp_0.5.45.bb
index cc8285c..604a0ca 100644
--- a/recipes-ids/suricata/libhtp_0.5.45.bb
+++ b/recipes-ids/suricata/libhtp_0.5.45.bb
@@ -4,7 +4,9 @@ require suricata.inc
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
-SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
+SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x \
+           file://CVE-2024-45797.patch \
+          "
 SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af"
 DEPENDS = "zlib"
author	Hitendra Prajapati <hprajapati@mvista.com>	2024-10-18 11:01:18 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-11-04 08:17:37 -0500
commit	bc865c5276c2ab4031229916e8d7c20148dfbac3 (patch)
tree	6ab59d528ca168fffc4df1ca61304784adc93674
parent	459d837338ca230254baa2994f870bf6eb9d0139 (diff)
download	meta-security-scarthgap.tar.gz

diff --git a/recipes-ids/suricata/files/CVE-2024-45797.patch b/recipes-ids/suricata/files/CVE-2024-45797.patch new file mode 100644 index 0000000..3db4625 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-45797.patch
@@ -0,0 +1,148 @@
		1	From 0d550de551b91d5e57ba23e2b1e2c6430fad6818 Mon Sep 17 00:00:00 2001
		2	From: Philippe Antoine <contact@catenacyber.fr>
		3	Date: Mon, 12 Aug 2024 14:06:40 +0200
		4	Subject: [PATCH] headers: put a configurable limit on their numbers
		5
		6	So as to avoid quadratic complexity
		7
		8	Ticket: 7191
		9
		10	Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818]
		11	CVE: CVE-2024-45797
		12	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		13	---
		14	htp/htp_config.c \| 8 ++++++++
		15	htp/htp_config.h \| 8 ++++++++
		16	htp/htp_config_private.h \| 6 ++++++
		17	htp/htp_core.h \| 1 +
		18	htp/htp_request_generic.c \| 11 +++++++++++
		19	htp/htp_response_generic.c \| 10 ++++++++++
		20	6 files changed, 44 insertions(+)
		21
		22	diff --git a/htp/htp_config.c b/htp/htp_config.c
		23	index 767458f..9e0eee3 100644
		24	--- a/htp/htp_config.c
		25	+++ b/htp/htp_config.c
		26	@@ -145,6 +145,8 @@ static unsigned char bestfit_1252[] = {
		27	0xff, 0x5d, 0x7d, 0xff, 0x5e, 0x7e, 0x00, 0x00, 0x00
		28	};
		29
		30	+#define HTP_HEADERS_LIMIT 1024
		31	+
		32	htp_cfg_t *htp_config_create(void) {
		33	htp_cfg_t *cfg = calloc(1, sizeof (htp_cfg_t));
		34	if (cfg == NULL) return NULL;
		35	@@ -163,6 +165,7 @@ htp_cfg_t *htp_config_create(void) {
		36	cfg->response_lzma_layer_limit = 1; // default is only one layer
		37	cfg->compression_bomb_limit = HTP_COMPRESSION_BOMB_LIMIT;
		38	cfg->compression_time_limit = HTP_COMPRESSION_TIME_LIMIT_USEC;
		39	+ cfg->number_headers_limit = HTP_HEADERS_LIMIT;
		40	cfg->allow_space_uri = 0;
		41
		42	// Default settings for URL-encoded data.
		43	@@ -542,6 +545,11 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit) {
		44	}
		45	}
		46
		47	+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit) {
		48	+ if (cfg == NULL) return;
		49	+ cfg->number_headers_limit = limit;
		50	+}
		51	+
		52	void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level) {
		53	if (cfg == NULL) return;
		54	cfg->log_level = log_level;
		55	diff --git a/htp/htp_config.h b/htp/htp_config.h
		56	index d1365dc..ed0eaeb 100644
		57	--- a/htp/htp_config.h
		58	+++ b/htp/htp_config.h
		59	@@ -466,6 +466,14 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit);
		60	*/
		61	void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level);
		62
		63	+/**
		64	+ * Configures the maximum number of headers LibHTP will accept per request or response.
		65	+ *
		66	+ * @param[in] cfg
		67	+ * @param[in] limit
		68	+ */
		69	+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit);
		70	+
		71	/**
		72	* Configures how the server reacts to encoded NUL bytes. Some servers will stop at
		73	* at NUL, while some will respond with 400 or 404. When the termination option is not
		74	diff --git a/htp/htp_config_private.h b/htp/htp_config_private.h
		75	index 5f1d60d..ecc8717 100644
		76	--- a/htp/htp_config_private.h
		77	+++ b/htp/htp_config_private.h
		78	@@ -360,6 +360,12 @@ struct htp_cfg_t {
		79
		80	/** Whether to decompress compressed request bodies. */
		81	int request_decompression_enabled;
		82	+
		83	+ /** Maximum number of transactions. */
		84	+ uint32_t max_tx;
		85	+
		86	+ /** Maximum number of headers. */
		87	+ uint32_t number_headers_limit;
		88	};
		89
		90	#ifdef __cplusplus
		91	diff --git a/htp/htp_core.h b/htp/htp_core.h
		92	index e4c933e..7c23212 100644
		93	--- a/htp/htp_core.h
		94	+++ b/htp/htp_core.h
		95	@@ -235,6 +235,7 @@ enum htp_file_source_t {
		96	#define HTP_REQUEST_INVALID 0x100000000ULL
		97	#define HTP_REQUEST_INVALID_C_L 0x200000000ULL
		98	#define HTP_AUTH_INVALID 0x400000000ULL
		99	+#define HTP_HEADERS_TOO_MANY 0x800000000ULL
		100
		101	#define HTP_MAX_HEADERS_REPETITIONS 64
		102
		103	diff --git a/htp/htp_request_generic.c b/htp/htp_request_generic.c
		104	index 435cf0a..1350e57 100644
		105	--- a/htp/htp_request_generic.c
		106	+++ b/htp/htp_request_generic.c
		107	@@ -120,6 +120,17 @@ htp_status_t htp_process_request_header_generic(htp_connp_t *connp, unsigned cha
		108	bstr_free(h->value);
		109	free(h);
		110	} else {
		111	+ if (htp_table_size(connp->in_tx->request_headers) > connp->cfg->number_headers_limit) {
		112	+ if (!(connp->in_tx->flags & HTP_HEADERS_TOO_MANY)) {
		113	+ connp->in_tx->flags \|= HTP_HEADERS_TOO_MANY;
		114	+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many request headers");
		115	+ }
		116	+ bstr_free(h->name);
		117	+ bstr_free(h->value);
		118	+ free(h);
		119	+ // give up on what comes next
		120	+ return HTP_ERROR;
		121	+ }
		122	// Add as a new header.
		123	if (htp_table_add(connp->in_tx->request_headers, h->name, h) != HTP_OK) {
		124	bstr_free(h->name);
		125	diff --git a/htp/htp_response_generic.c b/htp/htp_response_generic.c
		126	index f5fa59e..69da625 100644
		127	--- a/htp/htp_response_generic.c
		128	+++ b/htp/htp_response_generic.c
		129	@@ -321,6 +321,16 @@ htp_status_t htp_process_response_header_generic(htp_connp_t *connp, unsigned ch
		130	bstr_free(h->value);
		131	free(h);
		132	} else {
		133	+ if (htp_table_size(connp->out_tx->response_headers) > connp->cfg->number_headers_limit) {
		134	+ if (!(connp->out_tx->flags & HTP_HEADERS_TOO_MANY)) {
		135	+ connp->out_tx->flags \|= HTP_HEADERS_TOO_MANY;
		136	+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many response headers");
		137	+ }
		138	+ bstr_free(h->name);
		139	+ bstr_free(h->value);
		140	+ free(h);
		141	+ return HTP_ERROR;
		142	+ }
		143	// Add as a new header.
		144	if (htp_table_add(connp->out_tx->response_headers, h->name, h) != HTP_OK) {
		145	bstr_free(h->name);
		146	--
		147	2.25.1
		148


diff --git a/recipes-ids/suricata/libhtp_0.5.45.bb b/recipes-ids/suricata/libhtp_0.5.45.bb index cc8285c..604a0ca 100644 --- a/recipes-ids/suricata/libhtp_0.5.45.bb +++ b/recipes-ids/suricata/libhtp_0.5.45.bb
@@ -4,7 +4,9 @@ require suricata.inc
4		4
5	LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"	5	LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
6		6
7	SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"	7	SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x \
		8	file://CVE-2024-45797.patch \
		9	"
8	SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af"	10	SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af"
9		11
10	DEPENDS = "zlib"	12	DEPENDS = "zlib"