Security #5921
closedhttp1: configurable limit for maximum number of live transactions per flow
8f63a8f3bffbbaf8fae4985ee5f974ab326b08c0
4175680a8a1c0dfaa491ee63d6e36c011d498473
Description
Kind of found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55582
See also libhtp-rs oom
Updated by Philippe Antoine about 2 years ago
Investigation shows that `http_state->conn->transactions` does not shrink as `VecDeque` when one transaction should get removed (the transaction is freed and replaced by NULL)
Need to think on this first...
Updated by Philippe Antoine about 2 years ago
I thought I had a Suricata-only fix, but libhtp uses htp_list_get(connp->conn->transactions, connp->out_next_tx_index);
and tx->index = htp_list_size(tx->conn->transactions);
So, I may have a Suricata+libhtp fix...
Updated by Philippe Antoine over 1 year ago
So, I see 2 sub tasks here :
- do not have an ever growing list of HTTP1 transactions per flow
- configurable limit for maximum number of live HTTP1 transactions per flow
The current MR is for the first one
Another thing could be to have a configurable limit for maximum number of live transactions per flow whatever the app-layer protocol
The slowness of DetectRunTx when there are multiple live transactions per flow is to be tracked on #6299
See also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62416&q=label%3AProj-suricata
Updated by Victor Julien over 1 year ago
- Severity changed from MODERATE to CRITICAL
Easy to trigger, so CRITICAL.