From: Victor Julien <victor@inliniac.net>
Date: Fri, 12 Feb 2016 15:31:57 +0000 (+0100)
Subject: http: fix multipart body tracking slowdown
X-Git-Tag: suricata-3.0.1RC1~150
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a22ba7e23deef9ab432d048828169f663dd247b;p=thirdparty%2Fsuricata.git

http: fix multipart body tracking slowdown

Optimize HTTP multipart body parsing. Big records that were not files
could slow down Suricata. The reason was that the body tracker was not
moved forward. This lead to growing body buffers, which were expensive
wrt memory and inspection.

This patch add logic to move the tracker forward in this case.
---

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 5fd0949296..caf2ea5307 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1552,6 +1552,19 @@ next:
                     (uint8_t *) "\r\n\r\n", 4);
         }
     }
+
+    /* if we're parsing the multipart and we're not currently processing a
+     * file, we move the body pointer forward. */
+    if (form_end == NULL && !(htud->tsflags & HTP_FILENAME_SET) && header_start == NULL) {
+        if (chunks_buffer_len > expected_boundary_end_len) {
+            uint32_t move = chunks_buffer_len - expected_boundary_end_len + 1;
+
+            htud->request_body.body_parsed += move;
+            SCLogDebug("form not ready, file not set, parsing non-file "
+                    "record: moved %u", move);
+        }
+    }
+
 end:
     if (expected_boundary != NULL) {
         HTPFree(expected_boundary, expected_boundary_len);