From: Victor Julien <victor@inliniac.net>
Date: Thu, 10 Dec 2015 15:12:05 +0000 (+0100)
Subject: http: improve body pruning
X-Git-Tag: suricata-3.0RC3~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efdd9e08f2b5dd1dac6a9ed8355a79b11d84cc12;p=thirdparty%2Fsuricata.git

http: improve body pruning

In case the body wasn't inspected the body_inspected variable wouldn't
get updated leading to the body not getting pruned at all.

This patch adds support for this case.
---

diff --git a/src/app-layer-htp-body.c b/src/app-layer-htp-body.c
index af9609b218..a9a1ba17f0 100644
--- a/src/app-layer-htp-body.c
+++ b/src/app-layer-htp-body.c
@@ -222,7 +222,16 @@ void HtpBodyPrune(HtpState *state, HtpBody *body, int direction)
         window = state->cfg->request_inspect_window;
     }
 
-    if (body->body_inspected < ((min_size > window) ? min_size : window)) {
+    uint64_t max_window = ((min_size > window) ? min_size : window);
+    uint64_t in_flight = body->content_len_so_far - body->body_inspected;
+
+    /* Special case. If body_inspected is not being updated, we make sure that
+     * we prune the body. We allow for some extra size/room as we may be called
+     * multiple times on uninspected body chunk additions if a large block of
+     * data was ack'd at once. Want to avoid pruning before inspection. */
+    if (in_flight > (max_window * 3)) {
+        body->body_inspected = body->content_len_so_far - max_window;
+    } else if (body->body_inspected < max_window) {
         SCReturn;
     }
 
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index e8da88eb8c..5fd0949296 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1812,6 +1812,9 @@ int HTPCallbackRequestBodyData(htp_tx_data_t *d)
         }
     }
 
+    /* see if we can get rid of htp body chunks */
+    HtpBodyPrune(hstate, &tx_ud->request_body, STREAM_TOSERVER);
+
     SCLogDebug("tx_ud->request_body.content_len_so_far %"PRIu64, tx_ud->request_body.content_len_so_far);
     SCLogDebug("hstate->cfg->request_body_limit %u", hstate->cfg->request_body_limit);
 
@@ -1863,9 +1866,6 @@ int HTPCallbackRequestBodyData(htp_tx_data_t *d)
     }
 
 end:
-    /* see if we can get rid of htp body chunks */
-    HtpBodyPrune(hstate, &tx_ud->request_body, STREAM_TOSERVER);
-
     /* set the new chunk flag */
     hstate->flags |= HTP_FLAG_NEW_BODY_SET;
 
@@ -1911,6 +1911,9 @@ int HTPCallbackResponseBodyData(htp_tx_data_t *d)
         tx_ud->operation = HTP_BODY_RESPONSE;
     }
 
+    /* see if we can get rid of htp body chunks */
+    HtpBodyPrune(hstate, &tx_ud->response_body, STREAM_TOCLIENT);
+
     SCLogDebug("tx_ud->response_body.content_len_so_far %"PRIu64, tx_ud->response_body.content_len_so_far);
     SCLogDebug("hstate->cfg->response_body_limit %u", hstate->cfg->response_body_limit);
 
@@ -1932,9 +1935,6 @@ int HTPCallbackResponseBodyData(htp_tx_data_t *d)
         HtpResponseBodyHandle(hstate, tx_ud, d->tx, (uint8_t *)d->data, (uint32_t)d->len);
     }
 
-    /* see if we can get rid of htp body chunks */
-    HtpBodyPrune(hstate, &tx_ud->response_body, STREAM_TOCLIENT);
-
     /* set the new chunk flag */
     hstate->flags |= HTP_FLAG_NEW_BODY_SET;