From 24e3574084ba5d968f769b44b7da672f2b549610 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 30 Apr 2024 14:07:39 +0200 Subject: [PATCH 1/3] request: trim headers values also when there is no name As is done by libhtp-rs --- htp/htp_request_generic.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/htp/htp_request_generic.c b/htp/htp_request_generic.c index 435cf0a7..7045b527 100644 --- a/htp/htp_request_generic.c +++ b/htp/htp_request_generic.c @@ -172,7 +172,12 @@ htp_status_t htp_parse_request_header_generic(htp_connp_t *connp, htp_header_t * h->name = bstr_dup_c(""); if (h->name == NULL) return HTP_ERROR; - h->value = bstr_dup_mem(data, len); + // Ignore LWS after field-content. + value_end = len - 1; + while ((value_end > 0) && (htp_is_lws(data[value_end]))) { + value_end--; + } + h->value = bstr_dup_mem(data, value_end + 1); if (h->value == NULL) { bstr_free(h->name); return HTP_ERROR; From c2b5df11d9ea32eada91166a0e98e6171df6659b Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 30 Apr 2024 14:11:59 +0200 Subject: [PATCH 2/3] fuzz: flush to get full assertion text before the print of AddressSanitizer:DEADLYSIGNAL --- test/fuzz/fuzz_diff.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/fuzz/fuzz_diff.c b/test/fuzz/fuzz_diff.c index 01ba4bcc..9300aaee 100644 --- a/test/fuzz/fuzz_diff.c +++ b/test/fuzz/fuzz_diff.c @@ -339,6 +339,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { uint32_t rsnbh = htp_tx_request_headers_size(rstx); if (rsnbh != nbhc) { printf("Assertion failure: got nbheaders c=%d versus rust=%d\n", nbhc, rsnbh); + fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); #endif @@ -350,6 +351,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { void *rsh = htp_tx_request_header_index(rstx, (size_t) i); if (bstrDiff(htp_header_name(rsh), h->name, "header-name")) { printf("request header %d is different\n", i); + fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); #endif @@ -357,6 +359,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { } if (bstrDiff(htp_header_value(rsh), h->value, "header-value")) { printf("request header %d is different\n", i); + fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); #endif @@ -368,6 +371,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { rsnbh = htp_tx_response_headers_size(rstx); if (rsnbh != nbhc) { printf("Assertion failure: got nbheaders c=%d versus rust=%d\n", nbhc, rsnbh); + fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); #endif @@ -379,6 +383,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { void *rsh = htp_tx_response_header_index(rstx, (size_t) i); if (bstrDiff(htp_header_name(rsh), h->name, "header-name")) { printf("response header %d is different\n", i); + fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); #endif @@ -386,6 +391,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { } if (bstrDiff(htp_header_value(rsh), h->value, "header-value")) { printf("response header %d is different\n", i); + fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); #endif @@ -401,6 +407,7 @@ static int connDiff(void* rsconnp, htp_conn_t * conn) { uint32_t c = htp_list_size(conn->transactions); if (rs != c) { printf("Assertion failure: got nbtx c=%d versus rust=%d\n", c, rs); + fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); #endif From 202be0f21622352fc3955efaa4112b2fec304dc7 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 30 Apr 2024 14:24:35 +0200 Subject: [PATCH 3/3] fuzz: improve debug output --- test/fuzz/fuzz_diff.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/fuzz/fuzz_diff.c b/test/fuzz/fuzz_diff.c index 9300aaee..1dc780e0 100644 --- a/test/fuzz/fuzz_diff.c +++ b/test/fuzz/fuzz_diff.c @@ -350,7 +350,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { htp_header_t *h = (htp_header_t *) htp_table_get_index(ctx->request_headers, i, NULL); void *rsh = htp_tx_request_header_index(rstx, (size_t) i); if (bstrDiff(htp_header_name(rsh), h->name, "header-name")) { - printf("request header %d is different\n", i); + printf("request header name %d is different\n", i); fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); @@ -358,7 +358,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { return 1; } if (bstrDiff(htp_header_value(rsh), h->value, "header-value")) { - printf("request header %d is different\n", i); + printf("request header value %d is different\n", i); fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); @@ -382,7 +382,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { htp_header_t *h = (htp_header_t *) htp_table_get_index(ctx->response_headers, i, NULL); void *rsh = htp_tx_response_header_index(rstx, (size_t) i); if (bstrDiff(htp_header_name(rsh), h->name, "header-name")) { - printf("response header %d is different\n", i); + printf("response header name %d is different\n", i); fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort(); @@ -390,7 +390,7 @@ static int txDiff(void* rstx, htp_tx_t * ctx) { return 1; } if (bstrDiff(htp_header_value(rsh), h->value, "header-value")) { - printf("response header %d is different\n", i); + printf("response header value %d is different\n", i); fflush(stdout); #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION abort();