From: Victor Julien Date: Sun, 24 Nov 2019 08:16:46 +0000 (+0100) Subject: files: move smtp prune logic to main X-Git-Tag: suricata-5.0.1~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ac9cd2c70dbe887f004deb905d1f08b1bc4efcc;p=thirdparty%2Fsuricata.git files: move smtp prune logic to main Now that we call the file prune loop very regularly, we can move the SMTP specific inspection pruning logic into this loop. Helps with cases there we don't (often) update a files inspection trackers. --- diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index e13e8af149..05946af0b4 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -368,41 +368,6 @@ static SMTPTransaction *SMTPTransactionCreate(void) return tx; } -/** \internal - * \brief update inspected tracker if it gets to far behind - * - * As smtp uses the FILE_USE_DETECT flag in the file API, we are responsible - * for making sure that File::content_inspected is not getting too far - * behind. - */ -static void SMTPPruneFiles(FileContainer *files) -{ - SCLogDebug("cfg: win %"PRIu32" min_size %"PRIu32, - smtp_config.content_inspect_window, smtp_config.content_inspect_min_size); - - File *file = files->head; - while (file) { - SCLogDebug("file %p", file); - uint32_t window = smtp_config.content_inspect_window; - if (file->sb->stream_offset == 0) - window = MAX(window, smtp_config.content_inspect_min_size); - - uint64_t file_size = FileDataSize(file); - uint64_t data_size = file_size - file->sb->stream_offset; - - SCLogDebug("window %"PRIu32", file_size %"PRIu64", data_size %"PRIu64, - window, file_size, data_size); - - if (data_size > (window * 3)) { - uint64_t left_edge = file_size - window; - SCLogDebug("file->content_inspected now %"PRIu64, left_edge); - file->content_inspected = left_edge; - } - - file = file->next; - } -} - static void FlagDetectStateNewFile(SMTPTransaction *tx) { if (tx && tx->de_state) { @@ -473,6 +438,8 @@ int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, SCLogDebug("FileOpenFile() failed"); } FlagDetectStateNewFile(smtp_state->curr_tx); + files->tail->inspect_window = smtp_config.content_inspect_window; + files->tail->inspect_min_size = smtp_config.content_inspect_min_size; /* If close in the same chunk, then pass in empty bytes */ if (state->body_end) { @@ -562,11 +529,6 @@ int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, } else { SCLogDebug("Body not a Ctnt_attachment"); } - - if (files != NULL) { - SMTPPruneFiles(files); - } - SCReturnInt(ret); } diff --git a/src/util-file.c b/src/util-file.c index 88a53d1357..aaf631c767 100644 --- a/src/util-file.c +++ b/src/util-file.c @@ -319,6 +319,26 @@ static int FilePruneFile(File *file) } if (file->flags & FILE_USE_DETECT) { left_edge = MIN(left_edge, file->content_inspected); + + /* if file has inspect window and min size set, we + * do some house keeping here */ + if (file->inspect_window != 0 && file->inspect_min_size != 0) { + uint32_t window = file->inspect_window; + if (file->sb->stream_offset == 0) + window = MAX(window, file->inspect_min_size); + + uint64_t file_size = FileDataSize(file); + uint64_t data_size = file_size - file->sb->stream_offset; + + SCLogDebug("window %"PRIu32", file_size %"PRIu64", data_size %"PRIu64, + window, file_size, data_size); + + if (data_size > (window * 3)) { + left_edge = file_size - window; + SCLogDebug("file->content_inspected now %"PRIu64, left_edge); + file->content_inspected = left_edge; + } + } } if (left_edge) { diff --git a/src/util-file.h b/src/util-file.h index e8077d15ed..2a77a0fba0 100644 --- a/src/util-file.h +++ b/src/util-file.h @@ -87,6 +87,8 @@ typedef struct File_ { * flag is set */ uint64_t content_stored; uint64_t size; + uint32_t inspect_window; + uint32_t inspect_min_size; uint64_t start; uint64_t end;