From 49fbc32f38002adb5708dea3cb6bbf9d69d60bc5 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 15 Jun 2018 14:41:09 +0700 Subject: [PATCH] Fix out of bounds access in HTTP parser (#6409) (#6997) (#7339) A broken HTTP request caused the parser to report a panic. Fixes #6409 (cherry picked from commit a6348028cea874f9c3a1a976e47043a76cad114f) --- CHANGELOG.asciidoc | 2 ++ packetbeat/protos/http/http_parser.go | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index ce0eac758c79..d3ba9154638e 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -41,6 +41,8 @@ https://github.com/elastic/beats/compare/v6.3.0...6.3[Check the HEAD diff] *Packetbeat* +- Fix an out of bounds access in HTTP parser caused by malformed request. {pull}6997[6997] + *Winlogbeat* ==== Added diff --git a/packetbeat/protos/http/http_parser.go b/packetbeat/protos/http/http_parser.go index bb2c9e689ea0..e6c6f84ce000 100644 --- a/packetbeat/protos/http/http_parser.go +++ b/packetbeat/protos/http/http_parser.go @@ -181,9 +181,10 @@ func (*parser) parseHTTPLine(s *stream, m *message) (cont, ok, complete bool) { m.method = common.NetString(fline[:afterMethodIdx]) m.requestURI = common.NetString(fline[afterMethodIdx+1 : afterRequestURIIdx]) - if bytes.Equal(fline[afterRequestURIIdx+1:afterRequestURIIdx+len(constHTTPVersion)+1], constHTTPVersion) { + versionIdx := afterRequestURIIdx + len(constHTTPVersion) + 1 + if len(fline) > versionIdx && bytes.Equal(fline[afterRequestURIIdx+1:versionIdx], constHTTPVersion) { m.isRequest = true - version = fline[afterRequestURIIdx+len(constHTTPVersion)+1:] + version = fline[versionIdx:] } else { if isDebug { debugf("Couldn't understand HTTP version: %s", fline)