From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 26 Jan 2023 08:28:46 +0000 (+0100)
Subject: http: complete multipart until request.body-limit
X-Git-Tag: suricata-6.0.11~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F8690%2Fhead;p=thirdparty%2Fsuricata.git

http: complete multipart until request.body-limit

In the case we are truncating a multipart file because of reaching
request.body-limit, we used to not consume the whole buffer, but
keep expected_boundary_len bytes in case a new boundary begins
in these bytes.
Even if we cannot check the complete boundary, we can still check
the first bytes, as will be done in the rust version.

Ticket: #5952
(cherry picked from commit 578f328e06b3e03f3bdbbf852b5d121e20849b8b)
(cherry picked from commit caf9940fd10f474bcbc7bf983e3849a83a8c7562)
---

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index d01fa16a70..f232b2f7e4 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1438,6 +1438,16 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud,
             if (chunks_buffer_len > expected_boundary_end_len) {
                 const uint8_t *filedata = chunks_buffer;
                 uint32_t filedata_len = chunks_buffer_len - expected_boundary_len;
+                for (; filedata_len < chunks_buffer_len; filedata_len++) {
+                    // take as much as we can until the beginning of a new line
+                    if (chunks_buffer[filedata_len] == '\r') {
+                        if (filedata_len + 1 == chunks_buffer_len ||
+                                chunks_buffer[filedata_len + 1] == '\n') {
+                            break;
+                        }
+                    }
+                }
+
 #ifdef PRINT
                 printf("FILEDATA (part) START: \n");
                 PrintRawDataFp(stdout, filedata, filedata_len);