http: fix multipart body tracking slowdown

Optimize HTTP multipart body parsing. Big records that were not files
could slow down Suricata. The reason was that the body tracker was not
moved forward. This lead to growing body buffers, which were expensive
wrt memory and inspection.

This patch add logic to move the tracker forward in this case.

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 5fd0949296b848dfb4e5b67239dbc7995f14545b..caf2ea53076d784e97c81431fd35e8320af4ee33 100644 (file)
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1552,6 +1552,19 @@ next:
                     (uint8_t *) "\r\n\r\n", 4);
         }
     }
+
+    /* if we're parsing the multipart and we're not currently processing a
+     * file, we move the body pointer forward. */
+    if (form_end == NULL && !(htud->tsflags & HTP_FILENAME_SET) && header_start == NULL) {
+        if (chunks_buffer_len > expected_boundary_end_len) {
+            uint32_t move = chunks_buffer_len - expected_boundary_end_len + 1;
+
+            htud->request_body.body_parsed += move;
+            SCLogDebug("form not ready, file not set, parsing non-file "
+                    "record: moved %u", move);
+        }
+    }
+
 end:
     if (expected_boundary != NULL) {
         HTPFree(expected_boundary, expected_boundary_len);