Closed Boolean263 closed 1 week ago
That's not strictly correct. The boolean ja4h_data.cookie
gets set to true if the field "http.cookie" exists, and the list ja4h_data.sorted_cookies
gets populated if the field "http.cookie_pair" exists. The two are not guaranteed to both be true: Traffic with a bad cookie will cause "http.cookie" to exist but "http.cookie_pair" to remain empty, in which case create_sorted_cookies()
will seg fault.
The actual traffic which caused me to find this crash is confidential, but I've doctored a sample to trigger the bug. The attached pcap contains a single packet from a larger capture from the Wireshark wiki, which has been hand-edited to not have any '=' characters in the cookie. Without this patch, Wireshark seg faults when it reads the file.
Attachment: http_bad_cookie.zip
(I realize now my original description of the change was misleading. My apologies for that.)
In the event that there are no cookies at all, cause
create_sorted_cookies()
to return early. Prevents null pointer reference.