From 0a22ba7e23deef9ab432d048828169f663dd247b Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 12 Feb 2016 16:31:57 +0100
Subject: [PATCH] http: fix multipart body tracking slowdown

Optimize HTTP multipart body parsing. Big records that were not files
could slow down Suricata. The reason was that the body tracker was not
moved forward. This lead to growing body buffers, which were expensive
wrt memory and inspection.

This patch add logic to move the tracker forward in this case.
---
 src/app-layer-htp.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 5fd0949296..caf2ea5307 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1552,6 +1552,19 @@ next:
                     (uint8_t *) "\r\n\r\n", 4);
         }
     }
+
+    /* if we're parsing the multipart and we're not currently processing a
+     * file, we move the body pointer forward. */
+    if (form_end == NULL && !(htud->tsflags & HTP_FILENAME_SET) && header_start == NULL) {
+        if (chunks_buffer_len > expected_boundary_end_len) {
+            uint32_t move = chunks_buffer_len - expected_boundary_end_len + 1;
+
+            htud->request_body.body_parsed += move;
+            SCLogDebug("form not ready, file not set, parsing non-file "
+                    "record: moved %u", move);
+        }
+    }
+
 end:
     if (expected_boundary != NULL) {
         HTPFree(expected_boundary, expected_boundary_len);