HttpCommon::SourceId source_id);
virtual void clear() { }
virtual const Field& get_buf(unsigned id);
+ virtual uint32_t get_xtradata_mask() { return 0; }
#ifdef REG_TEST
virtual void print_frame(FILE* output);
#endif
dummy_pkt.packet_flags = (source_id == SRC_CLIENT) ? PKT_FROM_CLIENT : PKT_FROM_SERVER;
dummy_pkt.dsize = stream_buf.length;
dummy_pkt.data = stream_buf.data;
+ dummy_pkt.xtradata_mask = 0;
session_data->hi->eval(&dummy_pkt);
+ xtradata_mask = dummy_pkt.xtradata_mask;
}
}
void clear() override;
const Field& get_buf(unsigned id) override;
+ uint32_t get_xtradata_mask() override { return xtradata_mask; }
friend Http2Frame* Http2Frame::new_frame(const uint8_t*, const int32_t, const uint8_t*,
const int32_t, Http2FlowData*, HttpCommon::SourceId);
const Field* start_line = nullptr;
bool error_during_decode = false;
bool hi_abort = false;
+ uint32_t xtradata_mask = 0;
};
#endif
session_data->frame_header_size[source_id], session_data->frame_data[source_id],
session_data->frame_data_size[source_id], source_id);
+ p->xtradata_mask |= stream->get_xtradata_mask();
+
// The current frame now owns these buffers, clear them from the flow data
session_data->frame_header[source_id] = nullptr;
session_data->frame_data[source_id] = nullptr;
{ assert(hi_flow_data == nullptr); hi_flow_data = flow_data; }
HttpMsgSection* get_hi_msg_section() const { return hi_msg_section; }
void set_hi_msg_section(HttpMsgSection* section) { hi_msg_section = section; }
+ uint32_t get_xtradata_mask() { return (current_frame != nullptr) ?
+ current_frame->get_xtradata_mask() : 0; }
#ifdef REG_TEST
void print_frame(FILE* output);
#endif
HttpMsgSection* HttpContextData::get_snapshot(const Packet* p)
{
- // FIXIT-H checking for nullptr prevents a crash but it doesn't solve the problem of making
- // xtra data work with H2I
- if ((p != nullptr) && (Http2FlowData::inspector_id != 0))
+ assert(p != nullptr);
+
+ if (Http2FlowData::inspector_id != 0)
{
const Http2FlowData* const h2i_flow_data =
- (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
+ (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
if (h2i_flow_data != nullptr)
return h2i_flow_data->get_hi_msg_section();
}
- IpsContext* context = p ? p->context : nullptr;
HttpContextData* hcd = (HttpContextData*)DetectionEngine::get_data(HttpContextData::ips_id,
- context);
+ p->context);
+
+ if ( !hcd )
+ return nullptr;
+
+ return hcd->current_section;
+}
+
+HttpMsgSection* HttpContextData::get_snapshot(const Flow* flow)
+{
+ assert(flow != nullptr);
+
+ if (Http2FlowData::inspector_id != 0)
+ {
+ const Http2FlowData* const h2i_flow_data =
+ (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ if (h2i_flow_data != nullptr)
+ return h2i_flow_data->get_hi_msg_section();
+ }
+
+ HttpContextData* hcd = (HttpContextData*)DetectionEngine::get_data(HttpContextData::ips_id,
+ nullptr);
if ( !hcd )
return nullptr;
static void init()
{ ips_id = IpsContextData::get_ips_id(); }
static HttpMsgSection* get_snapshot(const snort::Packet* p);
+ static HttpMsgSection* get_snapshot(const snort::Flow* flow);
static void save_snapshot(HttpMsgSection* section);
static HttpMsgSection* clear_snapshot(snort::IpsContext* context);
static unsigned ips_id;
return get_buf(ibt, p, b);
}
-int HttpInspect::get_xtra_trueip(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_trueip(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
{
- HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+ HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
if (current_section == nullptr)
return 0;
return 1;
}
-int HttpInspect::get_xtra_uri(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_uri(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
{
- HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+ HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
if (current_section == nullptr)
return 0;
return 1;
}
-int HttpInspect::get_xtra_host(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_host(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
{
- HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+ HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
if (current_section == nullptr)
return 0;
// The name of this method reflects its legacy purpose. We actually return the normalized data
// from a response message body which may include other forms of normalization in addition to
// JavaScript normalization. But if you don't turn JavaScript normalization on you get nothing.
-int HttpInspect::get_xtra_jsnorm(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_jsnorm(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
{
- HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+ HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
if ((current_section == nullptr) ||
(current_section->get_source_id() != SRC_SERVER) ||