http: fix multipart body tracking slowdown

Optimize HTTP multipart body parsing. Big records that were not files could slow down Suricata. The reason was that the body tracker was not moved forward. This lead to growing body buffers, which were expensive wrt memory and inspection. This patch add logic to move the tracker forward in this case.
OISF · Feb 13, 2016 · 0a22ba7 · 0a22ba7
1 parent 4ee20f2
commit 0a22ba7
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
@@ -1552,6 +1552,19 @@ int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud,
                     (uint8_t *) "\r\n\r\n", 4);
         }
     }
+
+    /* if we're parsing the multipart and we're not currently processing a
+     * file, we move the body pointer forward. */
+    if (form_end == NULL && !(htud->tsflags & HTP_FILENAME_SET) && header_start == NULL) {
+        if (chunks_buffer_len > expected_boundary_end_len) {
+            uint32_t move = chunks_buffer_len - expected_boundary_end_len + 1;
+
+            htud->request_body.body_parsed += move;
+            SCLogDebug("form not ready, file not set, parsing non-file "
+                    "record: moved %u", move);
+        }
+    }
+
 end:
     if (expected_boundary != NULL) {
         HTPFree(expected_boundary, expected_boundary_len);