From: Victor Julien Date: Tue, 24 Mar 2015 16:25:04 +0000 (+0100) Subject: detect-http-header: improve buffer handling X-Git-Tag: suricata-3.0RC1~437 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=359e2d68f5739fceccb6f7a27b04c626196f442d;p=thirdparty%2Fsuricata.git detect-http-header: improve buffer handling Previously we could never be calling DetectEngineHHDGetBufferForTX for TX N and then afterwards for TX N - 1. Due to changes in the stateful detection code this is now possible. This patch changes the buffer logic to take the 'inspect_id' as it's base, instead of the first transaction that we are called with. --- diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index fccafada5f..2eb16acae9 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -105,14 +105,18 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, *stream_start_offset = 0; if (det_ctx->hcbd_buffers_list_len == 0) { - if (HCBDCreateSpace(det_ctx, 1) < 0) - goto end; /* let's consider it as stage not done for now */ - index = 0; - - if (det_ctx->hcbd_buffers_list_len == 0) { - det_ctx->hcbd_start_tx_id = tx_id; - } - det_ctx->hcbd_buffers_list_len++; + /* get the inspect id to use as a 'base id' */ + uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); + BUG_ON(base_inspect_id > tx_id); + /* see how many space we need for the current tx_id */ + uint16_t txs = (tx_id - base_inspect_id) + 1; + + if (HCBDCreateSpace(det_ctx, txs) < 0) + goto end; + + index = (tx_id - base_inspect_id); + det_ctx->hcbd_start_tx_id = base_inspect_id; + det_ctx->hcbd_buffers_list_len = txs; } else { if ((tx_id - det_ctx->hcbd_start_tx_id) < det_ctx->hcbd_buffers_list_len) { if (det_ctx->hcbd[(tx_id - det_ctx->hcbd_start_tx_id)].buffer_len != 0) { @@ -121,13 +125,11 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, return det_ctx->hcbd[(tx_id - det_ctx->hcbd_start_tx_id)].buffer; } } else { - if (HCBDCreateSpace(det_ctx, (tx_id - det_ctx->hcbd_start_tx_id) + 1) < 0) + uint16_t txs = (tx_id - det_ctx->hcbd_start_tx_id) + 1; + if (HCBDCreateSpace(det_ctx, txs) < 0) goto end; /* let's consider it as stage not done for now */ - if (det_ctx->hcbd_buffers_list_len == 0) { - det_ctx->hcbd_start_tx_id = tx_id; - } - det_ctx->hcbd_buffers_list_len++; + det_ctx->hcbd_buffers_list_len = txs; } index = (tx_id - det_ctx->hcbd_start_tx_id); } diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c index 6672895b48..dce39d3dcc 100644 --- a/src/detect-engine-hhd.c +++ b/src/detect-engine-hhd.c @@ -107,28 +107,34 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, *buffer_len = 0; if (det_ctx->hhd_buffers_list_len == 0) { - if (HHDCreateSpace(det_ctx, 1) < 0) + /* get the inspect id to use as a 'base id' */ + uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); + BUG_ON(base_inspect_id > tx_id); + /* see how many space we need for the current tx_id */ + uint16_t txs = (tx_id - base_inspect_id) + 1; + + if (HHDCreateSpace(det_ctx, txs) < 0) goto end; - index = 0; - if (det_ctx->hhd_buffers_list_len == 0) { - det_ctx->hhd_start_tx_id = tx_id; - } - det_ctx->hhd_buffers_list_len++; + index = (tx_id - base_inspect_id); + det_ctx->hhd_start_tx_id = base_inspect_id; + det_ctx->hhd_buffers_list_len = txs; } else { + /* tx fits in our current buffers */ if ((tx_id - det_ctx->hhd_start_tx_id) < det_ctx->hhd_buffers_list_len) { + /* if we previously reassembled, return that buffer */ if (det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)] != 0) { *buffer_len = det_ctx->hhd_buffers_len[(tx_id - det_ctx->hhd_start_tx_id)]; return det_ctx->hhd_buffers[(tx_id - det_ctx->hhd_start_tx_id)]; } + /* otherwise fall through */ } else { - if (HHDCreateSpace(det_ctx, (tx_id - det_ctx->hhd_start_tx_id) + 1) < 0) + /* not enough space, lets expand */ + uint16_t txs = (tx_id - det_ctx->hhd_start_tx_id) + 1; + if (HHDCreateSpace(det_ctx, txs) < 0) goto end; - if (det_ctx->hhd_buffers_list_len == 0) { - det_ctx->hhd_start_tx_id = tx_id; - } - det_ctx->hhd_buffers_list_len++; + det_ctx->hhd_buffers_list_len = txs; } index = (tx_id - det_ctx->hhd_start_tx_id); } diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index cb79827718..e7ef0bbd4a 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -104,14 +104,17 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, *stream_start_offset = 0; if (det_ctx->hsbd_buffers_list_len == 0) { - if (HSBDCreateSpace(det_ctx, 1) < 0) - goto end; - index = 0; + /* get the inspect id to use as a 'base id' */ + uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags); + BUG_ON(base_inspect_id > tx_id); + /* see how many space we need for the current tx_id */ + uint16_t txs = (tx_id - base_inspect_id) + 1; - if (det_ctx->hsbd_buffers_list_len == 0) { - det_ctx->hsbd_start_tx_id = tx_id; - } - det_ctx->hsbd_buffers_list_len++; + if (HSBDCreateSpace(det_ctx, txs) < 0) + goto end; + index = (tx_id - base_inspect_id); + det_ctx->hsbd_start_tx_id = base_inspect_id; + det_ctx->hsbd_buffers_list_len = txs; } else { if ((tx_id - det_ctx->hsbd_start_tx_id) < det_ctx->hsbd_buffers_list_len) { if (det_ctx->hsbd[(tx_id - det_ctx->hsbd_start_tx_id)].buffer_len != 0) { @@ -120,13 +123,11 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, return det_ctx->hsbd[(tx_id - det_ctx->hsbd_start_tx_id)].buffer; } } else { - if (HSBDCreateSpace(det_ctx, (tx_id - det_ctx->hsbd_start_tx_id) + 1) < 0) + uint16_t txs = (tx_id - det_ctx->hsbd_start_tx_id) + 1; + if (HSBDCreateSpace(det_ctx, txs) < 0) goto end; - if (det_ctx->hsbd_buffers_list_len == 0) { - det_ctx->hsbd_start_tx_id = tx_id; - } - det_ctx->hsbd_buffers_list_len++; + det_ctx->hsbd_buffers_list_len = txs; } index = (tx_id - det_ctx->hsbd_start_tx_id); }