Merge pull request #2176 in SNORT/snort3 from ~KATHARVE/snort3:h2i_file to master

Squashed commit of the following:

commit 411b5c0939961bb2a96f45f988bc920c25c8f104
Author: Katura Harvey <katharve@cisco.com>
Date:   Mon Apr 20 13:55:27 2020 -0400

    http_inspect: add support for http2 file processing

diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc
index e40bbd96eaa0cf53d476594f490d7fa3d715efd9..6131f8e18a93adfb823fdd0998b0a90fe2221758 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -54,13 +54,7 @@ HttpMsgHeader::HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size,
 
 void HttpMsgHeader::publish()
 {
-    uint32_t stream_id = 0;
-    if (session_data->for_http2)
-    {
-        Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
-        assert(h2i_flow_data);
-        stream_id = h2i_flow_data->get_current_stream_id(source_id);
-    }
+    const uint32_t stream_id = get_h2_stream_id(source_id);
 
     HttpEvent http_event(this, session_data->for_http2, stream_id);
 
@@ -409,7 +403,8 @@ void HttpMsgHeader::prepare_body()
 void HttpMsgHeader::setup_file_processing()
 {
     // Generate the unique file id for file processing
-    transaction->set_file_processing_id(source_id, get_transaction_id());
+    transaction->set_file_processing_id(source_id, get_transaction_id(),
+        get_h2_stream_id(source_id));
 
     if ((session_data->file_depth_remaining[source_id] = FileService::get_max_file_depth()) < 0)
     {

diff --git a/src/service_inspectors/http_inspect/http_msg_section.cc b/src/service_inspectors/http_inspect/http_msg_section.cc
index c138de36900c8a043821da1e57b514998c6e47aa..43b4be6c5f92c7bfa15eac0503e38de4dfb61b1f 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_section.cc
+++ b/src/service_inspectors/http_inspect/http_msg_section.cc
@@ -395,6 +395,21 @@ void HttpMsgSection::get_related_sections()
     trailer[SRC_SERVER] = transaction->get_trailer(SRC_SERVER);
 }
 
+uint32_t HttpMsgSection::get_h2_stream_id(HttpCommon::SourceId source_id)
+{
+    if (h2_stream_id != STAT_NOT_COMPUTE)
+        return h2_stream_id;
+    if (session_data->for_http2)
+    {
+        Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+        assert(h2i_flow_data);
+        h2_stream_id = h2i_flow_data->get_current_stream_id(source_id);
+    }
+    else
+       h2_stream_id = 0;
+    return h2_stream_id;
+}
+
 void HttpMsgSection::clear()
 {
     transaction->clear_section();

diff --git a/src/service_inspectors/http_inspect/http_msg_section.h b/src/service_inspectors/http_inspect/http_msg_section.h
index 844f52228277a460a4e1b07f6d5220244b29db47..97e698d89ae817ead46226de46fa1bd68f42e9cc 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_section.h
+++ b/src/service_inspectors/http_inspect/http_msg_section.h
@@ -107,6 +107,9 @@ protected:
     HttpEnums::MethodId method_id;
     const bool tcp_close;
 
+    int64_t h2_stream_id = HttpCommon::STAT_NOT_COMPUTE;
+    uint32_t get_h2_stream_id(HttpCommon::SourceId source_id);
+
     // Pointers to related message sections in the same transaction
     HttpMsgRequest* request;
     HttpMsgStatus* status;

diff --git a/src/service_inspectors/http_inspect/http_transaction.cc b/src/service_inspectors/http_inspect/http_transaction.cc
index f05d2556d0a9ce5d4c777f08557ded2f50c896ed..180ec8e89f2a74bd5792afe306fac33b710279ba 100644 (file)
--- a/src/service_inspectors/http_inspect/http_transaction.cc
+++ b/src/service_inspectors/http_inspect/http_transaction.cc
@@ -256,13 +256,15 @@ void HttpTransaction::set_one_hundred_response()
 }
 
 void HttpTransaction::set_file_processing_id(const SourceId source_id,
-    const uint64_t transaction_id)
+    const uint64_t transaction_id, const uint32_t stream_id)
 {
-    const int data_len = sizeof(source_id) + sizeof(transaction_id);
+    const int data_len = sizeof(source_id) + sizeof(transaction_id) + sizeof(stream_id);
     uint8_t data[data_len];
     memcpy(data, (void*)&source_id, sizeof(source_id));
     uint32_t offset = sizeof(source_id);
     memcpy(data + offset, (void*)&transaction_id, sizeof(transaction_id));
+    offset += sizeof(transaction_id);
+    memcpy(data + offset, (void*)&stream_id, sizeof(stream_id));
 
     file_processing_id[source_id] = str_to_hash(data, data_len);
 }

diff --git a/src/service_inspectors/http_inspect/http_transaction.h b/src/service_inspectors/http_inspect/http_transaction.h
index c54580b619da10d1d5d4bf87ef222bbce9f80b9e..fd14372ce85b5e04aaf8168946247481a8dd03ec 100644 (file)
--- a/src/service_inspectors/http_inspect/http_transaction.h
+++ b/src/service_inspectors/http_inspect/http_transaction.h
@@ -68,9 +68,10 @@ public:
 
     HttpTransaction* next = nullptr;
 
-    // Each file processed has a unique id per flow: hash(source_id, transaction_id)
+    // Each file processed has a unique id per flow: hash(source_id, transaction_id, h2_stream_id)
+    // If this is an HTTP/1 flow, h2_stream_id is 0
     void set_file_processing_id(const HttpCommon::SourceId source_id,
-        const uint64_t transaction_id);
+        const uint64_t transaction_id, const uint32_t stream_id);
     uint64_t get_file_processing_id(HttpCommon::SourceId source_id)
         { return file_processing_id[source_id]; }