Actions
Security #5254
closedprotocol detection: exploitable type confusion due to concurrent protocol changes
Affected Versions:
Label:
CVE:
Git IDs:
e55eeb3bdee1a57f17a21ca509385c84caaa4469
Severity:
MODERATE
Disclosure Date:
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45941&q=label%3AProj-suricata&can=2
If a STMP session has STARTTLS, it requests AppLayerRequestProtocolChange
We call TCPProtoDetect to rerun protocol detection
So far, so good.
But then, if the protocol is HTTP1 requesting an upgrade, HTTP/1.1 101\nUpgrade:h2c
we call again AppLayerRequestProtocolChange which erases values like alproto_orig which leads to type confusion...
Files
Updated by Jeff Lucovsky about 2 years ago
- Copied from Security #5243: protocol detection: exploitable type confusion due to concurrent protocol changes added
Updated by Shivani Bhardwaj almost 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Shivani Bhardwaj
Updated by Shivani Bhardwaj almost 2 years ago
- Status changed from Assigned to In Progress
Updated by Shivani Bhardwaj almost 2 years ago
- Status changed from In Progress to In Review
Actions