suricata
detect-http-header-common.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-engine-prefilter.h"
34 #include "detect-engine-content-inspection.h"
35 #include "detect-content.h"
36 #include "detect-pcre.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 #include "util-spm.h"
46 #include "util-print.h"
47 
48 #include "app-layer.h"
49 #include "app-layer-parser.h"
50 
51 #include "app-layer-htp.h"
52 #include "detect-http-header.h"
53 #include "stream-tcp.h"
54 
55 #include "util-print.h"
56 
57 #include "detect-http-header-common.h"
58 
59 static inline int CreateSpace(HttpHeaderThreadData *td, uint64_t size);
60 
61 void *HttpHeaderThreadDataInit(void *data)
62 {
63  HttpHeaderThreadData *td = SCCalloc(1, sizeof(*td));
64  if (td != NULL) {
65  if (data == NULL) {
66  td->tx_step = 4;
67  td->size_step = 512;
68  } else {
69  HttpHeaderThreadDataConfig *c = data;
70  td->tx_step = c->tx_step;
71  td->size_step = c->size_step;
72  }
73 
74  /* initialize minimal buffers */
75  (void)CreateSpace(td, 1);
76  int i;
77  for (i = 0; i < td->buffers_size; i++) {
78  (void)HttpHeaderExpandBuffer(td, &td->buffers[i], 1);
79  }
80  }
81  return td;
82 }
83 
84 void HttpHeaderThreadDataFree(void *data)
85 {
86  HttpHeaderThreadData *hdrnames = data;
87 
88  int i;
89  for (i = 0; i < hdrnames->buffers_size; i++) {
90  if (hdrnames->buffers[i].buffer)
91  SCFree(hdrnames->buffers[i].buffer);
92  if (hdrnames->buffers[i].size) {
93  SCLogDebug("hdrnames->buffers[%d].size %u (%u)",
94  i, hdrnames->buffers[i].size, hdrnames->buffers_size);
95  }
96  }
97  SCFree(hdrnames->buffers);
98  SCFree(hdrnames);
99 }
100 
101 static void Reset(HttpHeaderThreadData *hdrnames, uint64_t tick)
102 {
103  uint16_t i;
104  for (i = 0; i < hdrnames->buffers_list_len; i++) {
105  hdrnames->buffers[i].len = 0;
106  }
107  hdrnames->buffers_list_len = 0;
108  hdrnames->start_tx_id = 0;
109  hdrnames->tick = tick;
110 }
111 
112 static inline int CreateSpace(HttpHeaderThreadData *td, uint64_t size)
113 {
114  if (size >= SHRT_MAX)
115  return -1;
116 
117  if (size > td->buffers_size) {
118  uint16_t extra = td->tx_step;
119  while (td->buffers_size + extra < size) {
120  extra += td->tx_step;
121  }
122  SCLogDebug("adding %u to the buffer", extra);
123 
124  void *ptmp = SCRealloc(td->buffers,
125  (td->buffers_size + extra) * sizeof(HttpHeaderBuffer));
126  if (ptmp == NULL) {
127  SCFree(td->buffers);
128  td->buffers = NULL;
129  td->buffers_size = 0;
130  td->buffers_list_len = 0;
131  return -1;
132  }
133  td->buffers = ptmp;
134  memset(td->buffers + td->buffers_size, 0, extra * sizeof(HttpHeaderBuffer));
135  td->buffers_size += extra;
136  }
137  return 0;
138 }
139 
140 int HttpHeaderExpandBuffer(HttpHeaderThreadData *td,
141  HttpHeaderBuffer *buf, uint32_t size)
142 {
143  size_t extra = td->size_step;
144  while ((buf->size + extra) < (size + buf->len)) {
145  extra += td->size_step;
146  }
147  SCLogDebug("adding %"PRIuMAX" to the buffer", (uintmax_t)extra);
148 
149  uint8_t *new_buffer = SCRealloc(buf->buffer, buf->size + extra);
150  if (unlikely(new_buffer == NULL)) {
151  buf->len = 0;
152  return -1;
153  }
154  buf->buffer = new_buffer;
155  buf->size += extra;
156  return 0;
157 }
158 
159 HttpHeaderBuffer *HttpHeaderGetBufferSpaceForTXID(DetectEngineThreadCtx *det_ctx,
160  Flow *f, uint8_t flags, uint64_t tx_id, const int keyword_id,
161  HttpHeaderThreadData **ret_hdr_td)
162 {
163  int index = 0;
164  *ret_hdr_td = NULL;
165 
166  HttpHeaderThreadData *hdr_td =
167  DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, keyword_id);
168  if (hdr_td == NULL)
169  return NULL;
170  if (hdr_td->tick != det_ctx->ticker)
171  Reset(hdr_td, det_ctx->ticker);
172  *ret_hdr_td = hdr_td;
173 
174  if (hdr_td->buffers_list_len == 0) {
175  /* get the inspect id to use as a 'base id' */
176  uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
177  BUG_ON(base_inspect_id > tx_id);
178  /* see how many space we need for the current tx_id */
179  uint64_t txs = (tx_id - base_inspect_id) + 1;
180  if (CreateSpace(hdr_td, txs) < 0)
181  return NULL;
182 
183  index = (tx_id - base_inspect_id);
184  hdr_td->start_tx_id = base_inspect_id;
185  hdr_td->buffers_list_len = txs;
186  } else {
187  /* tx fits in our current buffers */
188  if ((tx_id - hdr_td->start_tx_id) < hdr_td->buffers_list_len) {
189  /* if we previously reassembled, return that buffer */
190  if (hdr_td->buffers[(tx_id - hdr_td->start_tx_id)].len != 0) {
191  return &hdr_td->buffers[(tx_id - hdr_td->start_tx_id)];
192  }
193  /* otherwise fall through */
194  } else {
195  /* not enough space, lets expand */
196  uint64_t txs = (tx_id - hdr_td->start_tx_id) + 1;
197  if (CreateSpace(hdr_td, txs) < 0)
198  return NULL;
199 
200  hdr_td->buffers_list_len = txs;
201  }
202  index = (tx_id - hdr_td->start_tx_id);
203  }
204  HttpHeaderBuffer *buf = &hdr_td->buffers[index];
205  return buf;
206 }
detect-content.h
HttpHeaderThreadData_::buffers
HttpHeaderBuffer * buffers
Definition: detect-http-header-common.h:39
detect-engine.h
HttpHeaderThreadData_::buffers_list_len
uint16_t buffers_list_len
Definition: detect-http-header-common.h:41
HttpHeaderThreadData_::size_step
uint16_t size_step
Definition: detect-http-header-common.h:42
flow-util.h
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
HttpHeaderBuffer_::len
uint32_t len
Definition: detect-http-header-common.h:30
threads.h
Flow_
Flow data structure.
Definition: flow.h:350
detect-http-header.h
detect-pcre.h
AppLayerParserGetTransactionInspectId
uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction)
Definition: app-layer-parser.c:701
HttpHeaderThreadData_::tx_step
uint16_t tx_step
Definition: detect-http-header-common.h:43
HttpHeaderGetBufferSpaceForTXID
HttpHeaderBuffer * HttpHeaderGetBufferSpaceForTXID(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, uint64_t tx_id, const int keyword_id, HttpHeaderThreadData **ret_hdr_td)
Definition: detect-http-header-common.c:159
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
HttpHeaderThreadConfig_::size_step
uint16_t size_step
Definition: detect-http-header-common.h:35
DetectEngineThreadCtx_::ticker
uint64_t ticker
Definition: detect.h:1005
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:482
HttpHeaderThreadData_::start_tx_id
uint64_t start_tx_id
Definition: detect-http-header-common.h:44
app-layer-htp.h
decode.h
util-debug.h
DetectEngineThreadCtx_
Definition: detect.h:999
util-print.h
detect-engine-mpm.h
detect.h
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:277
detect-http-header-common.h
HttpHeaderThreadConfig_
Definition: detect-http-header-common.h:33
HttpHeaderBuffer_::buffer
uint8_t * buffer
Definition: detect-http-header-common.h:28
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
HttpHeaderThreadConfig_::tx_step
uint16_t tx_step
Definition: detect-http-header-common.h:34
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
detect-engine-content-inspection.h
HttpHeaderThreadDataInit
void * HttpHeaderThreadDataInit(void *data)
Definition: detect-http-header-common.c:61
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
HttpHeaderThreadData_::buffers_size
uint16_t buffers_size
Definition: detect-http-header-common.h:40
util-spm.h
HttpHeaderBuffer_::size
uint32_t size
Definition: detect-http-header-common.h:29
DetectThreadCtxGetGlobalKeywordThreadCtx
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3134
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
HttpHeaderThreadData_::tick
uint64_t tick
Definition: detect-http-header-common.h:45
HttpHeaderExpandBuffer
int HttpHeaderExpandBuffer(HttpHeaderThreadData *td, HttpHeaderBuffer *buf, uint32_t size)
Definition: detect-http-header-common.c:140
HttpHeaderBuffer_
Definition: detect-http-header-common.h:27
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
flow-var.h
HttpHeaderThreadData_
Definition: detect-http-header-common.h:38
HttpHeaderThreadDataFree
void HttpHeaderThreadDataFree(void *data)
Definition: detect-http-header-common.c:84
app-layer.h