projects / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 10a6581)
CVE-2025-53538
authorPhilippe Antoine <pantoine@oisf.net>
Tue, 15 Apr 2025 10:34:37 +0000 (12:34 +0200)
committerAndreas Dolp <dev@andreas-dolp.de>
Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)
From 97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001
# Subject: [PATCH] http2: forbid data on stream 0

# Subject: [PATCH] http2: forbid data on stream 0

Ticket: 7658

Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.

RFC 9113 section 6.1 states:

If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
 of type PROTOCOL_ERROR.

(cherry picked from commit 1d6d331752e933c46aca0ae7a9679b27462246e3)

Origin: upstream, https://github.com/OISF/suricata/commit/97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7659
Bug-Debian: https://bugs.debian.org/1109806
Subject: Upstream fix for CVE-2025-53538

Gbp-Pq: Name CVE-2025-53538.patch

rules/http2-events.rules patch | blob | history
rust/src/http2/http2.rs patch | blob | history

diff --git a/rules/http2-events.rules b/rules/http2-events.rules
index 413fdd652cad9b5083aa4553249825acc56c12a1..8242e2f79e421980b231c006f1608fc32d6490cf 100644 (file)
--- a/rules/http2-events.rules
+++ b/rules/http2-events.rules
@@ -21,3 +21,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:esta
 alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 data on stream zero"; flow:established; app-layer-event:http2.data_stream_zero; classtype:protocol-command-decode; sid:2290018; rev:1;)
diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
index eace93ccc36f1a72826c32fff28a0efdf6d590f4..ac4079b4936e8b1fd9069664aa8b97d27fc80b49 100644 (file)
--- a/rust/src/http2/http2.rs
+++ b/rust/src/http2/http2.rs
@@ -409,6 +409,7 @@ pub enum HTTP2Event {
     AuthorityHostMismatch,
     UserinfoInUri,
     ReassemblyLimitReached,
+    DataStreamZero,
 }
 
 pub struct HTTP2DynTable {
@@ -1078,7 +1079,9 @@ impl HTTP2State {
                             data: txdata,
                         });
                     }
-                    if ftype == parser::HTTP2FrameType::Data as u8 {
+                    if ftype == parser::HTTP2FrameType::Data as u8 && sid == 0 {
+                        tx.tx_data.set_event(HTTP2Event::DataStreamZero as u8);
+                    } else if ftype == parser::HTTP2FrameType::Data as u8 && sid > 0 {
                         match unsafe { SURICATA_HTTP2_FILE_CONFIG } {
                             Some(sfcm) => {
                                 //borrow checker forbids to reuse directly tx
Unnamed repository; edit this file 'description' to name the repository.