Project

General

Profile

Actions

Bug #3956

closed

HTTP2 support variable integer lengths for headers

Added by Philippe Antoine over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

HTTP2 has a specific encoding for integer, starting with only a subset of bits for the first byte.

see https://tools.ietf.org/html/rfc7541#section-5.1

It was not supported for headers, even if it was supported for dynamic table size update


Files

youtube_invalid_frame.pcapng (1.64 MB) youtube_invalid_frame.pcapng David Beckett, 10/01/2020 10:09 AM
Actions #1

Updated by Philippe Antoine over 4 years ago

  • Status changed from Assigned to In Review
Actions #2

Updated by David Beckett about 4 years ago

I'm getting a invalid frame length with the attached pcap

{"timestamp":"2020-10-01T06:01:31.996386-0400","flow_id":1775817192543658,"pcap_cnt":858,"event_type":"anomaly","src_ip":"172.217.2.118","src_port":443,"dest_ip":"192.168.122.7","dest_port":37594,"proto":"TCP","tx_id":29,"community_id":"1:pO52xCkcc3tKLkWCOP1fHOx4XOw=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_length","layer":"proto_parser"}}
{"timestamp":"2020-10-01T06:01:31.996386-0400","flow_id":1775817192543658,"pcap_cnt":858,"event_type":"anomaly","src_ip":"172.217.2.118","src_port":443,"dest_ip":"192.168.122.7","dest_port":37594,"proto":"TCP","tx_id":29,"community_id":"1:pO52xCkcc3tKLkWCOP1fHOx4XOw=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_length","layer":"proto_parser"}}

This is with commit 080f6b from PR httpfixv6

Actions #3

Updated by Philippe Antoine about 4 years ago

Thanks again and again :-)
I had skipped a line in the RFC

https://github.com/OISF/suricata/pull/5460

Actions #4

Updated by David Beckett about 4 years ago

Tested PR5460 with around 50 websites and am getting no anomalies so all bugs on my side are fixed within this PR :)

Actions #5

Updated by Victor Julien about 4 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF