From 8af0b8044b33a1341ba7403eaa8b0e9b00c20b0a Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 26 Jan 2023 09:28:46 +0100
Subject: [PATCH] http: complete multipart until request.body-limit

In the case we are truncating a multipart file because of reaching
request.body-limit, we used to not consume the whole buffer, but
keep expected_boundary_len bytes in case a new boundary begins
in these bytes.
Even if we cannot check the complete boundary, we can still check
the first bytes, as will be done in the rust version.

Ticket: #5952
---
 src/app-layer-htp.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index ee4295cf72e3..7855fb806da4 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1446,6 +1446,16 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud,
             if (chunks_buffer_len > expected_boundary_end_len) {
                 const uint8_t *filedata = chunks_buffer;
                 uint32_t filedata_len = chunks_buffer_len - expected_boundary_len;
+                for (; filedata_len < chunks_buffer_len; filedata_len++) {
+                    // take as much as we can until the beginning of a new line
+                    if (chunks_buffer[filedata_len] == '\r') {
+                        if (filedata_len + 1 == expected_boundary_len ||
+                                chunks_buffer[filedata_len + 1] == '\n') {
+                            break;
+                        }
+                    }
+                }
+
 #ifdef PRINT
                 printf("FILEDATA (part) START: \n");
                 PrintRawDataFp(stdout, filedata, filedata_len);