Overview

File CVE-2024-23837.patch of Package libhtp

From 20ac301d801cdf01b3f021cca08a22a87f477c4a Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 8 Nov 2023 09:42:50 +0100
Subject: [PATCH] headers: limit the size of folded headers

Ticket: #6444

So as to limit the quadratic complexity of always reallocating
to push more bytes in header value
---
 htp/htp_private.h  |  3 +++
 htp/htp_request.c  | 12 ++++++++----
 htp/htp_response.c | 12 ++++++++----
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/htp/htp_private.h b/htp/htp_private.h
index 5a4e68fe..9bcf19d1 100644
--- a/htp/htp_private.h
+++ b/htp/htp_private.h
@@ -262,5 +262,8 @@ size_t strlcpy(char *dst, const char *src, size_t size);
 }
 #endif
 
+// as CURL_MAX_HTTP_HEADER
+#define HTP_MAX_HEADER_FOLDED 102400
+
 #endif	/* _HTP_PRIVATE_H */
 
diff --git a/htp/htp_request.c b/htp/htp_request.c
index 57e5d0e2..2138831d 100644
--- a/htp/htp_request.c
+++ b/htp/htp_request.c
@@ -714,10 +714,14 @@ htp_status_t htp_connp_REQ_HEADERS(htp_connp_t *connp) {
                     connp->in_header = bstr_dup_mem(data + trim, len - trim);
                     if (connp->in_header == NULL) return HTP_ERROR;
                 } else {
-                    // Add to the existing header.                    
-                    bstr *new_in_header = bstr_add_mem(connp->in_header, data, len);
-                    if (new_in_header == NULL) return HTP_ERROR;
-                    connp->in_header = new_in_header;
+                    // Add to the existing header.
+                    if (bstr_len(connp->in_header) < HTP_MAX_HEADER_FOLDED) {
+                        bstr *new_in_header = bstr_add_mem(connp->in_header, data, len);
+                        if (new_in_header == NULL) return HTP_ERROR;
+                        connp->in_header = new_in_header;
+                    } else {
+                        htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request field length exceeds folded maximum");
+                    }
                 }
             }
 
diff --git a/htp/htp_response.c b/htp/htp_response.c
index 81cbf985..121004c7 100644
--- a/htp/htp_response.c
+++ b/htp/htp_response.c
@@ -978,10 +978,14 @@ htp_status_t htp_connp_RES_HEADERS(htp_connp_t *connp) {
                             return HTP_ERROR;
                     } else {
                         // Add to the existing header.
-                        bstr *new_out_header = bstr_add_mem(connp->out_header, data, len);
-                        if (new_out_header == NULL)
-                            return HTP_ERROR;
-                        connp->out_header = new_out_header;
+                        if (bstr_len(connp->out_header) < HTP_MAX_HEADER_FOLDED) {
+                            bstr *new_out_header = bstr_add_mem(connp->out_header, data, len);
+                            if (new_out_header == NULL)
+                                return HTP_ERROR;
+                            connp->out_header = new_out_header;
+                        } else {
+                            htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Response field length exceeds folded maximum");
+                        }
                     }
                 }
             }
openSUSE Build Service is sponsored by
Places