Project

General

Profile

Actions

Security #6900

closed

http2: timeout logging headers

Added by Philippe Antoine 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

03442c9071b8d863d26b609d54c6eacf4de9e340

Severity:
HIGH
Disclosure Date:
06/28/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67661

Investigating more in this issue


Subtasks 2 (0 open2 closed)

Security #6901: http2: timeout logging headers (7.0.x backport)ClosedPhilippe AntoineActions
Security #6978: http2: timeout logging headers (6.0.x backport)ClosedPhilippe AntoineActions

Related issues 3 (0 open3 closed)

Related to Suricata - Bug #6846: alerts: wrongly using tx id 0 when there is no txClosedPhilippe AntoineActions
Related to Suricata - Security #6892: http2: oom on copying compressed headersClosedPhilippe AntoineActions
Related to Suricata - Bug #6973: detect: log relevant frames app-layer metdataClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine 8 months ago

  • Related to Bug #6846: alerts: wrongly using tx id 0 when there is no tx added
Actions #2

Updated by Philippe Antoine 8 months ago

Fix for #6846 fixes this timeout because we get multiple alerts for sid 2210045 and 2210029 which logs http2 app-layer data when it should not

Actions #3

Updated by Philippe Antoine 8 months ago

  • Related to Security #6892: http2: oom on copying compressed headers added
Actions #4

Updated by Philippe Antoine 8 months ago

http2 logging does not take too much time because a single field is too long, but we log 35367 headers.

This get bad because of http2 headers compression where one byte in the network can refer up to HTTP2_MAX_TABLESIZE (65536 by default, configurable with app-layer.protocols.http2.max-table-size bytes previously seen on the network.

Actions #5

Updated by Philippe Antoine 8 months ago

I guess this is critical

Actions #6

Updated by Philippe Antoine 8 months ago

  • Status changed from New to In Review
  • Label Needs backport to 7.0 added
Actions #7

Updated by OISF Ticketbot 8 months ago

  • Subtask #6901 added
Actions #8

Updated by OISF Ticketbot 8 months ago

  • Label deleted (Needs backport to 7.0)
Actions #10

Updated by Victor Julien 7 months ago

  • CVE set to 2024-32663
Actions #11

Updated by Victor Julien 7 months ago

  • Label Needs backport to 6.0 added
Actions #12

Updated by OISF Ticketbot 7 months ago

  • Subtask #6978 added
Actions #13

Updated by OISF Ticketbot 7 months ago

  • Label deleted (Needs backport to 6.0)
Actions #14

Updated by Victor Julien 7 months ago

  • Severity changed from MODERATE to HIGH
Actions #15

Updated by Victor Julien 7 months ago

  • Status changed from In Review to Closed
  • Git IDs updated (diff)
Actions #16

Updated by Philippe Antoine 7 months ago

  • Related to Bug #6973: detect: log relevant frames app-layer metdata added
Actions #17

Updated by Philippe Antoine 7 months ago ยท Edited

For info, the oss-fuzz report is still open until #6848 gets solved

Actions

Also available in: Atom PDF