response: fix connect tunneling bug

The response was emitting partial body data depending on how you fed the parser with inbound and outbound data chunks. It seems the intended behavior is to not emit body data if HTP_STREAM_TUNNEL will eventually be entered. The fix was to allow htp_connp_REQ_CONNECT_WAIT_RESPONSE to resume in order to enter the HTP_STREAM_TUNNEL state or complete the request. The tunneling transaction was also incomplete because the request side wasn't being finalized after entering HTP_STREAM_TUNNEL. See test case for example.
OISF · Jun 6, 2024 · 4d33275 · 4d33275
1 parent 559667a
commit 4d33275
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/htp/htp_request.c b/htp/htp_request.c
@@ -364,6 +364,9 @@ htp_status_t htp_connp_REQ_CONNECT_PROBE_DATA(htp_connp_t *connp) {
 #endif
         connp->in_status = HTP_STREAM_TUNNEL;
         connp->out_status = HTP_STREAM_TUNNEL;
+
+        // set the final state to eventually complete the transaction
+        connp->in_state = htp_connp_REQ_FINALIZE;
     }
 
     // not calling htp_connp_req_clear_buffer, we're not consuming the data

diff --git a/htp/htp_response.c b/htp/htp_response.c
@@ -1166,9 +1166,17 @@ htp_status_t htp_connp_RES_FINALIZE(htp_connp_t *connp) {
     }
 
     if (htp_treat_response_line_as_body(data, bytes_left)) {
-        // Interpret remaining bytes as body data
-        htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Unexpected response body");
-        htp_status_t rc = htp_tx_res_process_body_data_ex(connp->out_tx, data, bytes_left);
+        // Interpret remaining bytes as body data only if inbound processing
+        // was not suspended. Otherwise, yield back to inbound processing in
+        // case we've suspended because of a CONNECT transaction and are about
+        // to enter a tunneled state where we won't process body data.
+        htp_status_t rc = HTP_DATA_OTHER;
+
+        if (connp->in_status != HTP_STREAM_DATA_OTHER) {
+            htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Unexpected response body");
+            rc = htp_tx_res_process_body_data_ex(connp->out_tx, data, bytes_left);
+        }
+
         htp_connp_res_clear_buffer(connp);
         return rc;
     }

diff --git a/htp/htp_util.c b/htp/htp_util.c
@@ -2097,6 +2097,7 @@ char *htp_connp_in_state_as_string(htp_connp_t *connp) {
     if (connp->in_state == htp_connp_REQ_HEADERS) return "REQ_HEADERS";
     if (connp->in_state == htp_connp_REQ_CONNECT_CHECK) return "REQ_CONNECT_CHECK";
     if (connp->in_state == htp_connp_REQ_CONNECT_WAIT_RESPONSE) return "REQ_CONNECT_WAIT_RESPONSE";
+    if (connp->in_state == htp_connp_REQ_CONNECT_PROBE_DATA) return "REQ_CONNECT_PROBE_DATA";
     if (connp->in_state == htp_connp_REQ_BODY_DETERMINE) return "REQ_BODY_DETERMINE";
     if (connp->in_state == htp_connp_REQ_BODY_IDENTITY) return "REQ_BODY_IDENTITY";
     if (connp->in_state == htp_connp_REQ_BODY_CHUNKED_LENGTH) return "REQ_BODY_CHUNKED_LENGTH";