detect-http-header: improve buffer handling

Previously we could never be calling DetectEngineHHDGetBufferForTX
for TX N and then afterwards for TX N - 1. Due to changes in the
stateful detection code this is now possible.

This patch changes the buffer logic to take the 'inspect_id' as it's
base, instead of the first transaction that we are called with.

diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c
index fccafada5f1d7334f5ed6c3c1cb19035cf69a3d3..2eb16acae95dec94c0206eeb146105f8df1144b9 100644 (file)
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@@ -105,14 +105,18 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
     *stream_start_offset = 0;
 
     if (det_ctx->hcbd_buffers_list_len == 0) {
-        if (HCBDCreateSpace(det_ctx, 1) < 0)
-            goto end; /* let's consider it as stage not done for now */
-        index = 0;
-
-        if (det_ctx->hcbd_buffers_list_len == 0) {
-            det_ctx->hcbd_start_tx_id = tx_id;
-        }
-        det_ctx->hcbd_buffers_list_len++;
+        /* get the inspect id to use as a 'base id' */
+        uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
+        BUG_ON(base_inspect_id > tx_id);
+        /* see how many space we need for the current tx_id */
+        uint16_t txs = (tx_id - base_inspect_id) + 1;
+
+        if (HCBDCreateSpace(det_ctx, txs) < 0)
+            goto end;
+
+        index = (tx_id - base_inspect_id);
+        det_ctx->hcbd_start_tx_id = base_inspect_id;
+        det_ctx->hcbd_buffers_list_len = txs;
     } else {
         if ((tx_id - det_ctx->hcbd_start_tx_id) < det_ctx->hcbd_buffers_list_len) {
             if (det_ctx->hcbd[(tx_id - det_ctx->hcbd_start_tx_id)].buffer_len != 0) {
@@ -121,13 +125,11 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
                 return det_ctx->hcbd[(tx_id - det_ctx->hcbd_start_tx_id)].buffer;
             }
         } else {
-            if (HCBDCreateSpace(det_ctx, (tx_id - det_ctx->hcbd_start_tx_id) + 1) < 0)
+            uint16_t txs = (tx_id - det_ctx->hcbd_start_tx_id) + 1;
+            if (HCBDCreateSpace(det_ctx, txs) < 0)
                 goto end; /* let's consider it as stage not done for now */
 
-            if (det_ctx->hcbd_buffers_list_len == 0) {
-                det_ctx->hcbd_start_tx_id = tx_id;
-            }
-            det_ctx->hcbd_buffers_list_len++;
+            det_ctx->hcbd_buffers_list_len = txs;
         }
         index = (tx_id - det_ctx->hcbd_start_tx_id);
     }

diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c
index 6672895b4829db51ab2c7eeb13661a43ef1fba78..dce39d3dccbc26f58b0cd82b8672a3f6622a5095 100644 (file)
--- a/src/detect-engine-hhd.c
+++ b/src/detect-engine-hhd.c
@@ -107,28 +107,34 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
     *buffer_len = 0;
 
     if (det_ctx->hhd_buffers_list_len == 0) {
-        if (HHDCreateSpace(det_ctx, 1) < 0)
+        /* get the inspect id to use as a 'base id' */
+        uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
+        BUG_ON(base_inspect_id > tx_id);
+        /* see how many space we need for the current tx_id */
+        uint16_t txs = (tx_id - base_inspect_id) + 1;
+
+        if (HHDCreateSpace(det_ctx, txs) < 0)
             goto end;
-        index = 0;
 
-        if (det_ctx->hhd_buffers_list_len == 0) {
-            det_ctx->hhd_start_tx_id = tx_id;
-        }
-        det_ctx->hhd_buffers_list_len++;
+        index = (tx_id - base_inspect_id);
+        det_ctx->hhd_start_tx_id = base_inspect_id;
+        det_ctx->hhd_buffers_list_len = txs;
     } else {
+        /* tx fits in our current buffers */
         if ((tx_id - det_ctx->hhd_start_tx_id) < det_ctx->hhd_buffers_list_len) {
+            /* if we previously reassembled, return that buffer */
             if (det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)] != 0) {
                 *buffer_len = det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)];
                 return det_ctx->hhd_buffers[(tx_id - det_ctx->hhd_start_tx_id)];
             }
+            /* otherwise fall through */
         } else {
-            if (HHDCreateSpace(det_ctx, (tx_id - det_ctx->hhd_start_tx_id) + 1) < 0)
+            /* not enough space, lets expand */
+            uint16_t txs = (tx_id - det_ctx->hhd_start_tx_id) + 1;
+            if (HHDCreateSpace(det_ctx, txs) < 0)
                 goto end;
 
-            if (det_ctx->hhd_buffers_list_len == 0) {
-                det_ctx->hhd_start_tx_id = tx_id;
-            }
-            det_ctx->hhd_buffers_list_len++;
+            det_ctx->hhd_buffers_list_len = txs;
         }
         index = (tx_id - det_ctx->hhd_start_tx_id);
     }

diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c
index cb798277187b18a115466d77c5ba11b442010251..e7ef0bbd4a35b11871d5d91a5a3f81bb905ba875 100644 (file)
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@@ -104,14 +104,17 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
     *stream_start_offset = 0;
 
     if (det_ctx->hsbd_buffers_list_len == 0) {
-        if (HSBDCreateSpace(det_ctx, 1) < 0)
-            goto end;
-        index = 0;
+        /* get the inspect id to use as a 'base id' */
+        uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
+        BUG_ON(base_inspect_id > tx_id);
+        /* see how many space we need for the current tx_id */
+        uint16_t txs = (tx_id - base_inspect_id) + 1;
 
-        if (det_ctx->hsbd_buffers_list_len == 0) {
-            det_ctx->hsbd_start_tx_id = tx_id;
-        }
-        det_ctx->hsbd_buffers_list_len++;
+        if (HSBDCreateSpace(det_ctx, txs) < 0)
+            goto end;
+        index = (tx_id - base_inspect_id);
+        det_ctx->hsbd_start_tx_id = base_inspect_id;
+        det_ctx->hsbd_buffers_list_len = txs;
     } else {
         if ((tx_id - det_ctx->hsbd_start_tx_id) < det_ctx->hsbd_buffers_list_len) {
             if (det_ctx->hsbd[(tx_id - det_ctx->hsbd_start_tx_id)].buffer_len != 0) {
@@ -120,13 +123,11 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
                 return det_ctx->hsbd[(tx_id - det_ctx->hsbd_start_tx_id)].buffer;
             }
         } else {
-            if (HSBDCreateSpace(det_ctx, (tx_id - det_ctx->hsbd_start_tx_id) + 1) < 0)
+            uint16_t txs = (tx_id - det_ctx->hsbd_start_tx_id) + 1;
+            if (HSBDCreateSpace(det_ctx, txs) < 0)
                 goto end;
 
-            if (det_ctx->hsbd_buffers_list_len == 0) {
-                det_ctx->hsbd_start_tx_id = tx_id;
-            }
-            det_ctx->hsbd_buffers_list_len++;
+            det_ctx->hsbd_buffers_list_len = txs;
         }
         index = (tx_id - det_ctx->hsbd_start_tx_id);
     }