From 41c155397738550cb089ab9a5551df60ac83097d Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 2 May 2018 21:38:42 +0200 Subject: [PATCH] Fix out of bounds access in HTTP parser (#6409) A broken HTTP request caused the parser to report a panic. Fixes #6409 --- CHANGELOG.asciidoc | 2 ++ packetbeat/protos/http/http_parser.go | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index afefbf9ffbf4..586b0c0deb12 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -91,6 +91,8 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di *Packetbeat* +- Fix an out of bounds access in HTTP parser caused by malformed request. {pull}6997[6997] + *Winlogbeat* - Fixed a crash under Windows 2003 and XP when an event had less insert strings than required by its format string. {pull}6247[6247] diff --git a/packetbeat/protos/http/http_parser.go b/packetbeat/protos/http/http_parser.go index bb2c9e689ea0..e6c6f84ce000 100644 --- a/packetbeat/protos/http/http_parser.go +++ b/packetbeat/protos/http/http_parser.go @@ -181,9 +181,10 @@ func (*parser) parseHTTPLine(s *stream, m *message) (cont, ok, complete bool) { m.method = common.NetString(fline[:afterMethodIdx]) m.requestURI = common.NetString(fline[afterMethodIdx+1 : afterRequestURIIdx]) - if bytes.Equal(fline[afterRequestURIIdx+1:afterRequestURIIdx+len(constHTTPVersion)+1], constHTTPVersion) { + versionIdx := afterRequestURIIdx + len(constHTTPVersion) + 1 + if len(fline) > versionIdx && bytes.Equal(fline[afterRequestURIIdx+1:versionIdx], constHTTPVersion) { m.isRequest = true - version = fline[afterRequestURIIdx+len(constHTTPVersion)+1:] + version = fline[versionIdx:] } else { if isDebug { debugf("Couldn't understand HTTP version: %s", fline)