From 966b38ebc63a1d27407913a664b2e80ed8b824cb Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 3 May 2018 09:09:06 +0200 Subject: [PATCH] Fix out of bounds access in HTTP parser (#6409) (#6997) A broken HTTP request caused the parser to report a panic. Fixes #6409 --- CHANGELOG.asciidoc | 2 ++ packetbeat/protos/http/http_parser.go | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 0b75c1bbf514..affb38045e41 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -36,6 +36,8 @@ https://github.com/elastic/beats/compare/v5.6.9...5.6[Check the HEAD diff] *Packetbeat* +- Fix an out of bounds access in HTTP parser caused by malformed request. {pull}6997[6997] + *Winlogbeat* ==== Added diff --git a/packetbeat/protos/http/http_parser.go b/packetbeat/protos/http/http_parser.go index f09e1ca3f94f..49823b3b7a98 100644 --- a/packetbeat/protos/http/http_parser.go +++ b/packetbeat/protos/http/http_parser.go @@ -176,9 +176,10 @@ func (*parser) parseHTTPLine(s *stream, m *message) (cont, ok, complete bool) { m.method = common.NetString(fline[:afterMethodIdx]) m.requestURI = common.NetString(fline[afterMethodIdx+1 : afterRequestURIIdx]) - if bytes.Equal(fline[afterRequestURIIdx+1:afterRequestURIIdx+len(constHTTPVersion)+1], constHTTPVersion) { + versionIdx := afterRequestURIIdx + len(constHTTPVersion) + 1 + if len(fline) > versionIdx && bytes.Equal(fline[afterRequestURIIdx+1:versionIdx], constHTTPVersion) { m.isRequest = true - version = fline[afterRequestURIIdx+len(constHTTPVersion)+1:] + version = fline[versionIdx:] } else { if isDebug { debugf("Couldn't understand HTTP version: %s", fline)