$OpenBSD: patch-src_Flow_cpp,v 1.4 2017/10/17 10:39:12 sthen Exp $

From d7921296810e5a1997bf5b0c69693e28b9ca6491 Mon Sep 17 00:00:00 2001
From: Simone Mainardi <mainardi@ntop.org>
Date: Fri, 13 Oct 2017 16:34:07 +0200
Subject: [PATCH] Fix possible dissectHTTP reads beyond end of payload

Index: src/Flow.cpp
--- src/Flow.cpp.orig
+++ src/Flow.cpp
@@ -2451,8 +2451,9 @@ void Flow::dissectHTTP(bool src2dst_direction, char *p
     h = srv_host->getHTTPstats(); if(h) h->incRequestAsReceiver(payload); /* Rcvd */
     dissect_next_http_packet = true;
 
-    if(payload && ((space = strchr(payload, ' ')) != NULL)) {
-      u_int l = space-payload;
+    /* use memchr to prevent possibly non-NULL terminated HTTP requests */
+    if(payload && ((space = (char*)memchr(payload, ' ', payload_len)) != NULL)) {
+      u_int l = space - payload;
 
       if((!strncmp(payload, "GET", 3))
 	 || (!strncmp(payload, "POST", 4))
@@ -2467,9 +2468,10 @@ void Flow::dissectHTTP(bool src2dst_direction, char *p
 	  protos.http.last_method[l] = '\0';
 	}
 
+	payload_len -= (l + 1);
 	payload = &space[1];
-	if((space = strchr(payload, ' ')) != NULL) {
-	  u_int l = min_val(space-payload, 512); /* Avoid jumbo URLs */
+	if((space = (char*)memchr(payload, ' ', payload_len)) != NULL) {
+	  l = min_val(space - payload, 512); /* Avoid jumbo URLs */
 
 	  /* Stop at the first non-printable char of the HTTP URL */
 	  for(u_int i=0; i<l; i++) {
@@ -2496,11 +2498,14 @@ void Flow::dissectHTTP(bool src2dst_direction, char *p
       h = srv_host->getHTTPstats(); if(h) h->incResponseAsSender(payload); /* Sent */
       dissect_next_http_packet = false;
 
-      if((space = strchr(payload, ' ')) != NULL) {
+      if((space = (char*)memchr(payload, ' ', payload_len)) != NULL) {
+	u_int l = space - payload;
+
+	payload_len -= (l + 1);
 	payload = &space[1];
-	if((space = strchr(payload, ' ')) != NULL) {
+	if((space = (char*)memchr(payload, ' ', payload_len)) != NULL) {
 	  char tmp[32];
-	  int l = min_val((int)(space-payload), (int)(sizeof(tmp)-1));
+	  l = min_val(space - payload, (int)(sizeof(tmp) - 1));
 
 	  strncpy(tmp, payload, l);
 	  tmp[l] = 0;
