Boolean263
commented
3 days ago That's not strictly correct. The boolean ja4h_data.cookie gets set to true if the field "http.cookie" exists, and the list ja4h_data.sorted_cookies gets populated if the field "http.cookie_pair" exists. The two are not guaranteed to both be true: Traffic with a bad cookie will cause "http.cookie" to exist but "http.cookie_pair" to remain empty, in which case create_sorted_cookies() will seg fault.
The actual traffic which caused me to find this crash is confidential, but I've doctored a sample to trigger the bug. The attached pcap contains a single packet from a larger capture from the Wireshark wiki, which has been hand-edited to not have any '=' characters in the cookie. Without this patch, Wireshark seg faults when it reads the file.
Attachment: http_bad_cookie.zip
In the event that there are no cookies at all, cause
create_sorted_cookies()to return early. Prevents null pointer reference.