Merge pull request #2105 in SNORT/snort3 from ~THOPETER/snort3:nhttp137 to master

Squashed commit of the following:

commit f813962863f8f35615109ccea129f68499903e00
Author: Tom Peters <thopeter@cisco.com>
Date:   Tue Mar 24 13:33:49 2020 -0400

    http_inspect: eliminate empty body sections for missing message bodies

diff --git a/src/service_inspectors/http_inspect/http_msg_head_shared.cc b/src/service_inspectors/http_inspect/http_msg_head_shared.cc
index 138a5d9be4d616940927a4d046e4aa0763c2d3d7..4a9f1abfac091edd67d2a3718ae7199cc4ea0ec1 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_head_shared.cc
+++ b/src/service_inspectors/http_inspect/http_msg_head_shared.cc
@@ -86,9 +86,14 @@ void HttpMsgHeadShared::parse_header_block()
     int32_t bytes_used = 0;
     num_headers = 0;
     int32_t num_seps;
-    // session_data->num_head_lines is computed without consideration of wrapping and may overstate
-    // actual number of headers. Rely on num_headers which is calculated correctly.
+
+    // The number of header lines in a message may be zero
     header_line = new Field[session_data->num_head_lines[source_id]];
+
+    // session_data->num_head_lines is computed by HttpStreamSplitter without consideration of
+    // wrapping and may occasionally overstate the actual number of headers. That was OK for
+    // allocating space for the header_line array, but henceforth rely on num_headers which is
+    // calculated correctly.
     while (bytes_used < msg_text.length())
     {
         assert(num_headers < session_data->num_head_lines[source_id]);

diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc
index 702775cdccbd0caa68aa83ef70e85ffd036b1e48..1e36d4f336453e72b107534cff76301a53156632 100644 (file)
--- a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc
@@ -102,23 +102,16 @@ bool HttpStreamSplitter::finish(Flow* flow)
         return true;
     }
 
-    // FIXIT-H No longer necessary to send an empty body section because the header section is
-    // always forwarded to detection.
-    // If the message has been truncated immediately following the start line or immediately
-    // following the headers (a body was expected) then we need to process an empty section to
-    // provide an inspection section. Otherwise the start line and headers won't go through
-    // detection.
-    if (((session_data->type_expected[source_id] == SEC_HEADER)     ||
-        (session_data->type_expected[source_id] == SEC_BODY_CL)     ||
-        (session_data->type_expected[source_id] == SEC_BODY_CHUNK)  ||
-        (session_data->type_expected[source_id] == SEC_BODY_OLD))   &&
+    // If the message has been truncated immediately following the start line then we need to
+    // process an empty header section to provide an inspection section. Otherwise the start line
+    // won't go through detection.
+    if ((session_data->type_expected[source_id] == SEC_HEADER)      &&
         (session_data->cutter[source_id] == nullptr)                &&
         (session_data->section_type[source_id] == SEC__NOT_COMPUTE))
     {
-        // Set up to process empty message section
+        // Set up to process empty header section
         uint32_t not_used;
-        prepare_flush(session_data, &not_used, session_data->type_expected[source_id], 0, 0, 0,
-            false, 0, 0);
+        prepare_flush(session_data, &not_used, SEC_HEADER, 0, 0, 0, false, 0, 0);
         return true;
     }