1 files changed, 57 insertions, 0 deletions

diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch
new file mode 100644
index 0000000000..7ac72c8b19
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch
@@ -0,0 +1,57 @@
+From 6b00dc36d7527f051c2346f03d20f8d9e5a60138 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Mon, 17 Jun 2024 16:30:49 +0200
+Subject: [PATCH 3/4] http2: do not expand duplicate headers
+
+Ticket: 7104
+
+As this can cause a big mamory allocation due to the quadratic
+nature of the HPACK compression.
+
+(cherry picked from commit 5bd17934df321b88f502d48afdd6cc8bad4787a7)
+
+Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2]
+CVE: CVE-2024-38535
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ rust/src/http2/detect.rs | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs
+index 99261ad..9c2f8ab 100644
+--- a/rust/src/http2/detect.rs
++++ b/rust/src/http2/detect.rs
+@@ -432,11 +432,11 @@ pub fn http2_frames_get_header_value_vec(
+                     if found == 0 {
+                         vec.extend_from_slice(&block.value);
+                         found = 1;
+-                    } else if found == 1 {
++                    } else if found == 1 && Rc::strong_count(&block.name) <= 2 {
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                         found = 2;
+-                    } else {
++                    } else if Rc::strong_count(&block.name) <= 2 {
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                     }
+@@ -469,14 +469,14 @@ fn http2_frames_get_header_value<'a>(
+                     if found == 0 {
+                         single = Ok(&block.value);
+                         found = 1;
+-                    } else if found == 1 {
++                    } else if found == 1 && Rc::strong_count(&block.name) <= 2 {
+                         if let Ok(s) = single {
+                             vec.extend_from_slice(s);
+                         }
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                         found = 2;
+-                    } else {
++                    } else if Rc::strong_count(&block.name) <= 2 {
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                     }
+-- 
+2.44.0
+