Fix 13 audit issues: TLS zeroization, resource caps, info leak, defensive coding

georgeglarson · claude · georgeglarson · commit 576e56f03ad0 · 2026-02-18T13:01:45.000-05:00
HIGH: Zeroize cloned TLS 1.3 secrets after key derivation; zeroize
decrypted plaintext after copying to connection buffer.

MEDIUM: Cap HTTP/2 discard_header_bufs at 64 entries (was 1000);
cap HTTP continuation header values at 8KB; use saturating_add for
TUI memory tracking; cap DNS detail display at 100 records/section;
cap HTTP message display at 256KB; cap format_hex input at 16KB.

LOW: Remove zombie connections on handshake buffer overflow; redact
StreamKey from eprintln warning; add context to regex error message;
replace unwrap with expect on guarded HashMap remove.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/main.rs b/src/main.rs
@@ -127,7 +127,8 @@ fn main() -> Result<()> {
             Some(
                 regex::bytes::RegexBuilder::new(&pat)
                     .size_limit(10 * 1024 * 1024)
-                    .build()?,
+                    .build()
+                    .context(format!("Invalid regex pattern: {}", p))?,
             )
         }
         None => None,
diff --git a/src/output/mod.rs b/src/output/mod.rs
@@ -442,8 +442,13 @@ fn format_addr(ip: Option<std::net::IpAddr>, port: Option<u16>) -> String {
 }
 
 /// Build hex + ASCII dump as a String.
+/// Input is capped at 16 KB to prevent unbounded output.
 pub fn format_hex(data: &[u8]) -> String {
     use std::fmt::Write;
+    const MAX_HEX_INPUT: usize = 16 * 1024;
+    let original_len = data.len();
+    let truncated = original_len > MAX_HEX_INPUT;
+    let data = &data[..data.len().min(MAX_HEX_INPUT)];
     let mut out = String::new();
     for (i, chunk) in data.chunks(16).enumerate() {
         write!(out, "{:08x}  ", i * 16).unwrap();
@@ -473,6 +478,9 @@ pub fn format_hex(data: &[u8]) -> String {
         }
         out.push_str("|\n");
     }
+    if truncated {
+        writeln!(out, "[... truncated, {} bytes total]", original_len).unwrap();
+    }
     out
 }
 
diff --git a/src/protocol/http.rs b/src/protocol/http.rs
@@ -248,7 +248,11 @@ pub fn parse_http(data: &[u8]) -> Vec<HttpMessage> {
         for line in lines {
             if (line.starts_with(' ') || line.starts_with('\t')) && !headers.is_empty() {
                 // Continuation line: append to previous header value
+                // Cap individual header value size to prevent abuse via many continuation lines.
                 if let Some(last) = headers.last_mut() {
+                    if last.1.len() + line.len() + 1 > 8192 {
+                        break;
+                    }
                     last.1.push(' ');
                     last.1.push_str(line.trim());
                 }
diff --git a/src/protocol/http2.rs b/src/protocol/http2.rs
@@ -25,6 +25,10 @@ const MAX_FRAME_PAYLOAD: usize = 16_777_215; // 2^24 - 1
 const MAX_STREAMS_PER_CONN: usize = 1_000;
 const MAX_HEADER_BLOCK: usize = 65_536;
 const MAX_DATA_PER_STREAM: usize = 1_048_576; // 1 MB
+/// Cap on discard_header_bufs entries (streams with incomplete CONTINUATION
+/// sequences).  Much smaller than MAX_STREAMS_PER_CONN because each entry
+/// can hold up to MAX_HEADER_BLOCK (64 KB) of buffered header data.
+const MAX_DISCARD_HEADER_BUFS: usize = 64;
 /// M1: Reduced from 10,000 to 2,000 to cap compound memory usage.
 /// 2,000 connections * 2 MB * 2 directions = ~8 GB worst case.
 const MAX_CONNECTIONS: usize = 2_000;
@@ -299,7 +303,7 @@ impl H2Tracker {
                                 H2Direction::ServerToClient => &mut conn.server_decoder,
                             };
                             let _ = decoder.decode(header_block);
-                        } else if conn.discard_header_bufs.len() < MAX_STREAMS_PER_CONN {
+                        } else if conn.discard_header_bufs.len() < MAX_DISCARD_HEADER_BUFS {
                             // No END_HEADERS — accumulate fragments for HPACK
                             // decode when the final CONTINUATION arrives.
                             // Cap discard_header_bufs to prevent memory exhaustion.
@@ -469,7 +473,7 @@ impl H2Tracker {
                             H2Direction::ServerToClient => &mut conn.server_decoder,
                         };
                         let _ = decoder.decode(header_block);
-                    } else if conn.discard_header_bufs.len() < MAX_STREAMS_PER_CONN {
+                    } else if conn.discard_header_bufs.len() < MAX_DISCARD_HEADER_BUFS {
                         // No END_HEADERS — accumulate fragments for HPACK
                         // decode when the final CONTINUATION arrives.
                         // Cap discard_header_bufs to prevent memory exhaustion.
diff --git a/src/reassembly/mod.rs b/src/reassembly/mod.rs
@@ -173,7 +173,10 @@ impl DirectionBuffer {
                 .copied();
             match overlapping {
                 Some(seg_seq) => {
-                    let seg_data = self.reorder_buf.remove(&seg_seq).unwrap();
+                    let seg_data = self
+                        .reorder_buf
+                        .remove(&seg_seq)
+                        .expect("seg_seq found by preceding .find().copied()");
                     let overlap = expected.wrapping_sub(seg_seq) as usize;
                     if overlap < seg_data.len() {
                         if !self.truncated {
diff --git a/src/tls/mod.rs b/src/tls/mod.rs
@@ -166,9 +166,8 @@ impl TlsDecryptor {
         };
         if overflow {
             eprintln!(
-                "Warning: TLS {} buffer overflow for {:?}, removing connection",
+                "Warning: TLS {} buffer overflow, removing connection",
                 if from_client { "client" } else { "server" },
-                key
             );
             self.connections.remove(key);
             return;
@@ -306,15 +305,19 @@ impl TlsDecryptor {
                 }
                 // After CCS, handshake records (Finished) are encrypted — decrypt to advance seq
                 TlsRecordType::Handshake | TlsRecordType::ApplicationData => {
-                    if let Some(plaintext) = self.decrypt_record(key, &record, src_ip, src_port)
-                        && record.hdr.record_type == TlsRecordType::ApplicationData
-                        && let Some(conn) = self.connections.get_mut(key)
+                    if let Some(mut plaintext) = self.decrypt_record(key, &record, src_ip, src_port)
                     {
-                        let remaining = MAX_DECRYPTED_BYTES.saturating_sub(conn.decrypted.len());
-                        let to_copy = plaintext.len().min(remaining);
-                        if to_copy > 0 {
-                            conn.decrypted.extend_from_slice(&plaintext[..to_copy]);
+                        if record.hdr.record_type == TlsRecordType::ApplicationData {
+                            if let Some(conn) = self.connections.get_mut(key) {
+                                let remaining =
+                                    MAX_DECRYPTED_BYTES.saturating_sub(conn.decrypted.len());
+                                let to_copy = plaintext.len().min(remaining);
+                                if to_copy > 0 {
+                                    conn.decrypted.extend_from_slice(&plaintext[..to_copy]);
+                                }
+                            }
                         }
+                        plaintext.zeroize();
                     }
                 }
                 _ => {}
@@ -349,21 +352,32 @@ impl TlsDecryptor {
         // complete messages (a single TLS record can contain multiple handshake
         // messages). We extract one message per iteration while holding the
         // borrow, release it to call process_handshake, then re-acquire.
+        // Check overflow before taking mutable borrow for extend.
+        let overflow = match self.connections.get(key) {
+            Some(conn) => {
+                let buf_len = if from_client {
+                    conn.handshake_buf_client.len()
+                } else {
+                    conn.handshake_buf_server.len()
+                };
+                buf_len + data.len() > MAX_HANDSHAKE_BUF
+            }
+            None => return,
+        };
+        if overflow {
+            self.connections.remove(key);
+            return;
+        }
         {
             let conn = match self.connections.get_mut(key) {
                 Some(c) => c,
                 None => return,
             };
-            let buf = if from_client {
-                &mut conn.handshake_buf_client
+            if from_client {
+                conn.handshake_buf_client.extend_from_slice(data);
             } else {
-                &mut conn.handshake_buf_server
-            };
-            if buf.len() + data.len() > MAX_HANDSHAKE_BUF {
-                buf.clear();
-                return;
+                conn.handshake_buf_server.extend_from_slice(data);
             }
-            buf.extend_from_slice(data);
         }
 
         loop {
@@ -484,14 +498,17 @@ impl TlsDecryptor {
         hash_algo: hkdf::Algorithm,
         aead_algo: &'static aead::Algorithm,
     ) {
-        let secrets = match self.keylog.tls13_secrets.get(client_random) {
+        let mut secrets = match self.keylog.tls13_secrets.get(client_random) {
             Some(s) => s.clone(),
             None => return,
         };
 
         let conn = match self.connections.get_mut(key) {
             Some(c) => c,
-            None => return,
+            None => {
+                secrets.zeroize();
+                return;
+            }
         };
 
         // Derive application traffic keys
@@ -517,6 +534,7 @@ impl TlsDecryptor {
         {
             conn.server_hs_keys = Some(keys);
         }
+        secrets.zeroize();
     }
 
     fn derive_tls12_keys(
diff --git a/src/tui/event.rs b/src/tui/event.rs
@@ -188,23 +188,25 @@ impl CaptureEvent {
             ("DNS Q".into(), format!("{} {}", qname, qtype))
         };
 
+        // Cap record display at 100 entries per section to bound memory.
+        const MAX_DISPLAY_RECORDS: usize = 100;
         let mut display = String::new();
-        for q in &info.questions {
+        for q in info.questions.iter().take(MAX_DISPLAY_RECORDS) {
             display.push_str(&format!("Q: {} {}\n", q.name, q.qtype));
         }
-        for r in &info.answers {
+        for r in info.answers.iter().take(MAX_DISPLAY_RECORDS) {
             display.push_str(&format!(
                 "A: {} {} {} TTL={}\n",
                 r.name, r.rtype, r.rdata, r.ttl
             ));
         }
-        for r in &info.authorities {
+        for r in info.authorities.iter().take(MAX_DISPLAY_RECORDS) {
             display.push_str(&format!(
                 "AUTH: {} {} {} TTL={}\n",
                 r.name, r.rtype, r.rdata, r.ttl
             ));
         }
-        for r in &info.additionals {
+        for r in info.additionals.iter().take(MAX_DISPLAY_RECORDS) {
             display.push_str(&format!(
                 "ADD: {} {} {} TTL={}\n",
                 r.name, r.rtype, r.rdata, r.ttl
@@ -282,12 +284,26 @@ impl CaptureEvent {
 
         let header = format!("HTTP {} {}{}", stream_id, &info, count_suffix);
 
-        // Combine all messages into the display
-        let display: String = messages
-            .iter()
-            .map(|msg| msg.display_string())
-            .collect::<Vec<_>>()
-            .join("\n---\n");
+        // Combine all messages into the display, capping total size.
+        const MAX_DISPLAY_BYTES: usize = 256 * 1024;
+        let mut display = String::new();
+        for (i, msg) in messages.iter().enumerate() {
+            if i > 0 {
+                display.push_str("\n---\n");
+            }
+            let s = msg.display_string();
+            let remaining = MAX_DISPLAY_BYTES.saturating_sub(display.len());
+            if remaining == 0 {
+                display.push_str("\n[truncated]");
+                break;
+            }
+            if s.len() > remaining {
+                display.push_str(&s[..remaining]);
+                display.push_str("\n[truncated]");
+                break;
+            }
+            display.push_str(&s);
+        }
 
         CaptureEvent {
             id,
diff --git a/src/tui/mod.rs b/src/tui/mod.rs
@@ -176,7 +176,7 @@ pub fn run_tui(
         let auto_select = app.events.is_empty();
         while let Ok(event) = rx.try_recv() {
             if app.events.len() < MAX_TUI_EVENTS && app.events_bytes < MAX_TUI_BYTES {
-                app.events_bytes += event.approx_bytes();
+                app.events_bytes = app.events_bytes.saturating_add(event.approx_bytes());
                 app.events.push(event);
             } else {
                 // M22: Track dropped events

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,8 @@ fn main() -> Result<()> {`
`127`	`127`	`Some(`
`128`	`128`	`regex::bytes::RegexBuilder::new(&pat)`
`129`	`129`	`.size_limit(10 * 1024 * 1024)`
`130`		`- .build()?,`
	`130`	`+ .build()`
	`131`	`+ .context(format!("Invalid regex pattern: {}", p))?,`
`131`	`132`	`)`
`132`	`133`	`}`
`133`	`134`	`None => None,`
Original file line number	Diff line number	Diff line change
`@@ -442,8 +442,13 @@ fn format_addr(ip: Option<std::net::IpAddr>, port: Option<u16>) -> String {`
`442`	`442`	`}`
`443`	`443`
`444`	`444`	`/// Build hex + ASCII dump as a String.`
	`445`	`+/// Input is capped at 16 KB to prevent unbounded output.`
`445`	`446`	`pub fn format_hex(data: &[u8]) -> String {`
`446`	`447`	`use std::fmt::Write;`
	`448`	`+ const MAX_HEX_INPUT: usize = 16 * 1024;`
	`449`	`+ let original_len = data.len();`
	`450`	`+ let truncated = original_len > MAX_HEX_INPUT;`
	`451`	`+ let data = &data[..data.len().min(MAX_HEX_INPUT)];`
`447`	`452`	`let mut out = String::new();`
`448`	`453`	`for (i, chunk) in data.chunks(16).enumerate() {`
`449`	`454`	`write!(out, "{:08x} ", i * 16).unwrap();`
`@@ -473,6 +478,9 @@ pub fn format_hex(data: &[u8]) -> String {`
`473`	`478`	`}`
`474`	`479`	`out.push_str("\|\n");`
`475`	`480`	`}`
	`481`	`+ if truncated {`
	`482`	`+ writeln!(out, "[... truncated, {} bytes total]", original_len).unwrap();`
	`483`	`+ }`
`476`	`484`	`out`
`477`	`485`	`}`
`478`	`486`