Coverage Report

Created: 2026-06-30 07:20

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/libhtp/htp/htp_request.c
Line
Count
Source
1
/***************************************************************************
2
 * Copyright (c) 2009-2010 Open Information Security Foundation
3
 * Copyright (c) 2010-2013 Qualys, Inc.
4
 * All rights reserved.
5
 * 
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions are
8
 * met:
9
 * 
10
 * - Redistributions of source code must retain the above copyright
11
 *   notice, this list of conditions and the following disclaimer.
12
13
 * - Redistributions in binary form must reproduce the above copyright
14
 *   notice, this list of conditions and the following disclaimer in the
15
 *   documentation and/or other materials provided with the distribution.
16
17
 * - Neither the name of the Qualys, Inc. nor the names of its
18
 *   contributors may be used to endorse or promote products derived from
19
 *   this software without specific prior written permission.
20
 * 
21
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32
 ***************************************************************************/
33
34
/**
35
 * @file
36
 * @author Ivan Ristic <ivanr@webkreator.com>
37
 */
38
39
#include "htp_config_auto.h"
40
41
#include "htp_private.h"
42
43
254k
#define IN_TEST_NEXT_BYTE_OR_RETURN(X) \
44
254k
if ((X)->in_current_read_offset >= (X)->in_current_len) { \
45
63.4k
    return HTP_DATA; \
46
63.4k
}
47
48
56.5M
#define IN_PEEK_NEXT(X) \
49
56.5M
if ((X)->in_current_read_offset >= (X)->in_current_len) { \
50
208k
    (X)->in_next_byte = -1; \
51
56.3M
} else { \
52
56.3M
    (X)->in_next_byte = (X)->in_current_data[(X)->in_current_read_offset]; \
53
56.3M
}
54
55
#define IN_NEXT_BYTE(X) \
56
if ((X)->in_current_read_offset < (X)->in_current_len) { \
57
    (X)->in_next_byte = (X)->in_current_data[(X)->in_current_read_offset]; \
58
    (X)->in_current_read_offset++; \
59
    (X)->in_current_consume_offset++; \
60
    (X)->in_stream_offset++; \
61
} else { \
62
    (X)->in_next_byte = -1; \
63
}
64
65
54.5k
#define IN_NEXT_BYTE_OR_RETURN(X) \
66
54.5k
if ((X)->in_current_read_offset < (X)->in_current_len) { \
67
53.7k
    (X)->in_next_byte = (X)->in_current_data[(X)->in_current_read_offset]; \
68
53.7k
    (X)->in_current_read_offset++; \
69
53.7k
    (X)->in_current_consume_offset++; \
70
53.7k
    (X)->in_stream_offset++; \
71
53.7k
} else { \
72
731
    return HTP_DATA; \
73
731
}
74
75
102M
#define IN_COPY_BYTE_OR_RETURN(X) \
76
102M
if ((X)->in_current_read_offset < (X)->in_current_len) { \
77
101M
    (X)->in_next_byte = (X)->in_current_data[(X)->in_current_read_offset]; \
78
101M
    (X)->in_current_read_offset++; \
79
101M
    (X)->in_stream_offset++; \
80
101M
} else { \
81
226k
    return HTP_DATA_BUFFER; \
82
226k
}
83
84
/**
85
 * Sends outstanding connection data to the currently active data receiver hook.
86
 *
87
 * @param[in] connp
88
 * @param[in] is_last
89
 * @return HTP_OK, or a value returned from a callback.
90
 */
91
500k
static htp_status_t htp_connp_req_receiver_send_data(htp_connp_t *connp, int is_last) {
92
500k
    if (connp->in_data_receiver_hook == NULL) return HTP_OK;
93
94
275k
    htp_tx_data_t d;
95
275k
    d.tx = connp->in_tx;
96
275k
    d.data = connp->in_current_data + connp->in_current_receiver_offset;
97
275k
    d.len = connp->in_current_read_offset - connp->in_current_receiver_offset;
98
275k
    d.is_last = is_last;
99
100
275k
    htp_status_t rc = htp_hook_run_all(connp->in_data_receiver_hook, &d);
101
275k
    if (rc != HTP_OK) return rc;
102
103
275k
    connp->in_current_receiver_offset = connp->in_current_read_offset;
104
105
275k
    return HTP_OK;
106
275k
}
107
108
/**
109
 * Configures the data receiver hook. If there is a previous hook, it will be finalized and cleared.
110
 *
111
 * @param[in] connp
112
 * @param[in] data_receiver_hook
113
 * @return HTP_OK, or a value returned from a callback.
114
 */
115
182k
static htp_status_t htp_connp_req_receiver_set(htp_connp_t *connp, htp_hook_t *data_receiver_hook) {
116
182k
    htp_status_t rc = htp_connp_req_receiver_finalize_clear(connp);
117
118
182k
    connp->in_data_receiver_hook = data_receiver_hook;
119
182k
    connp->in_current_receiver_offset = connp->in_current_read_offset;
120
121
182k
    return rc;
122
182k
}
123
124
/**
125
 * Finalizes an existing data receiver hook by sending any outstanding data to it. The
126
 * hook is then removed so that it receives no more data.
127
 *
128
 * @param[in] connp
129
 * @return HTP_OK, or a value returned from a callback.
130
 */
131
592k
htp_status_t htp_connp_req_receiver_finalize_clear(htp_connp_t *connp) {
132
592k
    if (connp->in_data_receiver_hook == NULL) return HTP_OK;
133
134
180k
    htp_status_t rc = htp_connp_req_receiver_send_data(connp, 1 /* last */);
135
136
180k
    connp->in_data_receiver_hook = NULL;
137
138
180k
    return rc;
139
592k
}
140
141
/**
142
 * Handles request parser state changes. At the moment, this function is used only
143
 * to configure data receivers, which are sent raw connection data.
144
 *
145
 * @param[in] connp
146
 * @return HTP_OK, or a value returned from a callback.
147
 */
148
3.14M
static htp_status_t htp_req_handle_state_change(htp_connp_t *connp) {
149
3.14M
    if (connp->in_state_previous == connp->in_state) return HTP_OK;
150
151
1.31M
    if (connp->in_state == htp_connp_REQ_HEADERS) {
152
182k
        htp_status_t rc = HTP_OK;
153
154
182k
        switch (connp->in_tx->request_progress) {
155
181k
            case HTP_REQUEST_HEADERS:
156
181k
                rc = htp_connp_req_receiver_set(connp, connp->in_tx->cfg->hook_request_header_data);
157
181k
                break;
158
159
1.71k
            case HTP_REQUEST_TRAILER:
160
1.71k
                rc = htp_connp_req_receiver_set(connp, connp->in_tx->cfg->hook_request_trailer_data);
161
1.71k
                break;
162
163
0
            default:
164
                // Do nothing; receivers are currently used only for header blocks.
165
0
                break;
166
182k
        }
167
168
182k
        if (rc != HTP_OK) return rc;
169
182k
    }
170
171
    // Initially, I had the finalization of raw data sending here, but that
172
    // caused the last REQUEST_HEADER_DATA hook to be invoked after the
173
    // REQUEST_HEADERS hook -- which I thought made no sense. For that reason,
174
    // the finalization is now initiated from the request header processing code,
175
    // which is less elegant but provides a better user experience. Having some
176
    // (or all) hooks to be invoked on state change might work better.
177
178
1.31M
    connp->in_state_previous = connp->in_state;
179
180
1.31M
    return HTP_OK;
181
1.31M
}
182
183
/**
184
 * If there is any data left in the inbound data chunk, this function will preserve
185
 * it for later consumption. The maximum amount accepted for buffering is controlled
186
 * by htp_config_t::field_limit_hard.
187
 *
188
 * @param[in] connp
189
 * @return HTP_OK, or HTP_ERROR on fatal failure.
190
 */
191
317k
static htp_status_t htp_connp_req_buffer(htp_connp_t *connp) {
192
317k
    if (connp->in_current_data == NULL) return HTP_OK;
193
194
314k
    unsigned char *data = connp->in_current_data + connp->in_current_consume_offset;
195
314k
    size_t len = connp->in_current_read_offset - connp->in_current_consume_offset;
196
197
314k
    if (len == 0)
198
29.5k
        return HTP_OK;
199
200
    // Check the hard (buffering) limit.
201
   
202
284k
    size_t newlen = connp->in_buf_size + len;
203
204
    // When calculating the size of the buffer, take into account the
205
    // space we're using for the request header buffer.
206
284k
    if (connp->in_header != NULL) {
207
57.8k
        newlen += bstr_len(connp->in_header);
208
57.8k
    }
209
210
284k
    if (newlen > connp->in_tx->cfg->field_limit_hard) {
211
35
        htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request buffer over the limit: size %zd limit %zd.",
212
35
                newlen, connp->in_tx->cfg->field_limit_hard);        
213
35
        return HTP_ERROR;
214
35
    }
215
216
    // Copy the data remaining in the buffer.
217
218
284k
    if (connp->in_buf == NULL) {
219
72.2k
        connp->in_buf = malloc(len);
220
72.2k
        if (connp->in_buf == NULL) return HTP_ERROR;
221
72.2k
        memcpy(connp->in_buf, data, len);
222
72.2k
        connp->in_buf_size = len;
223
212k
    } else {
224
212k
        size_t newsize = connp->in_buf_size + len;
225
212k
        unsigned char *newbuf = realloc(connp->in_buf, newsize);
226
212k
        if (newbuf == NULL) return HTP_ERROR;
227
212k
        connp->in_buf = newbuf;
228
212k
        memcpy(connp->in_buf + connp->in_buf_size, data, len);
229
212k
        connp->in_buf_size = newsize;
230
212k
    }
231
232
    // Reset the consumer position.
233
284k
    connp->in_current_consume_offset = connp->in_current_read_offset;
234
235
284k
    return HTP_OK;
236
284k
}
237
238
/**
239
 * Returns to the caller the memory region that should be processed next. This function
240
 * hides away the buffering process from the rest of the code, allowing it to work with
241
 * non-buffered data that's in the inbound chunk, or buffered data that's in our structures.
242
 *
243
 * @param[in] connp
244
 * @param[out] data
245
 * @param[out] len
246
 * @return HTP_OK
247
 */
248
4.78M
static htp_status_t htp_connp_req_consolidate_data(htp_connp_t *connp, unsigned char **data, size_t *len) {
249
4.78M
    if (connp->in_buf == NULL) {
250
        // We do not have any data buffered; point to the current data chunk.
251
4.69M
        *data = connp->in_current_data + connp->in_current_consume_offset;
252
4.69M
        *len = connp->in_current_read_offset - connp->in_current_consume_offset;
253
4.69M
    } else {
254
        // We already have some data in the buffer. Add the data from the current
255
        // chunk to it, and point to the consolidated buffer.
256
90.6k
        if (htp_connp_req_buffer(connp) != HTP_OK) {
257
25
            return HTP_ERROR;
258
25
        }
259
260
90.6k
        *data = connp->in_buf;
261
90.6k
        *len = connp->in_buf_size;
262
90.6k
    }
263
264
4.78M
    return HTP_OK;
265
4.78M
}
266
267
/**
268
 * Clears buffered inbound data and resets the consumer position to the reader position.
269
 *
270
 * @param[in] connp
271
 */
272
3.14M
static void htp_connp_req_clear_buffer(htp_connp_t *connp) {
273
3.14M
    connp->in_current_consume_offset = connp->in_current_read_offset;
274
275
3.14M
    if (connp->in_buf != NULL) {
276
68.8k
        free(connp->in_buf);
277
68.8k
        connp->in_buf = NULL;
278
68.8k
        connp->in_buf_size = 0;
279
68.8k
    }
280
3.14M
}
281
282
/**
283
 * Performs a check for a CONNECT transaction to decide whether inbound
284
 * parsing needs to be suspended.
285
 *
286
 * @param[in] connp
287
 * @return HTP_OK if the request does not use CONNECT, HTP_DATA_OTHER if
288
 *          inbound parsing needs to be suspended until we hear from the
289
 *          other side
290
 */
291
175k
htp_status_t htp_connp_REQ_CONNECT_CHECK(htp_connp_t *connp) {
292
    // If the request uses the CONNECT method, then there will
293
    // not be a request body, but first we need to wait to see the
294
    // response in order to determine if the tunneling request
295
    // was a success.
296
175k
    if (connp->in_tx->request_method_number == HTP_M_CONNECT) {        
297
2.76k
        connp->in_state = htp_connp_REQ_CONNECT_WAIT_RESPONSE;
298
2.76k
        connp->in_status = HTP_STREAM_DATA_OTHER;
299
2.76k
        return HTP_DATA_OTHER;
300
2.76k
    }
301
302
    // Continue to the next step to determine 
303
    // the presence of request body
304
172k
    connp->in_state = htp_connp_REQ_BODY_DETERMINE;
305
306
172k
    return HTP_OK;
307
175k
}
308
309
/**
310
 * Determines whether inbound parsing needs to continue or stop. In
311
 * case the data appears to be plain text HTTP, we try to continue.
312
 *
313
 * @param[in] connp
314
 * @return HTP_OK if the parser can resume parsing, HTP_DATA_BUFFER if
315
 *         we need more data.
316
 */
317
435
htp_status_t htp_connp_REQ_CONNECT_PROBE_DATA(htp_connp_t *connp) {
318
14.9k
    for (;;) {//;i < max_read; i++) {
319
14.9k
        IN_PEEK_NEXT(connp);
320
        // Have we reached the end of the line? For some reason
321
        // we can't test after IN_COPY_BYTE_OR_RETURN */
322
14.9k
        if (connp->in_next_byte == LF || connp->in_next_byte == 0x00)
323
61
            break;
324
325
14.9k
        IN_COPY_BYTE_OR_RETURN(connp);
326
327
14.5k
    }
328
329
61
    unsigned char *data;
330
61
    size_t len;
331
61
    if (htp_connp_req_consolidate_data(connp, &data, &len) != HTP_OK) {
332
0
        return HTP_ERROR;
333
0
    }
334
#ifdef HTP_DEBUG
335
    fprint_raw_data(stderr, "PROBING", data, len);
336
#endif
337
338
61
    size_t pos = 0;
339
61
    size_t mstart = 0;
340
    // skip past leading whitespace. IIS allows this
341
74
    while ((pos < len) && htp_is_space(data[pos]))
342
13
        pos++;
343
61
    if (pos)
344
4
        mstart = pos;
345
    // The request method starts at the beginning of the
346
    // line and ends with the first whitespace character.
347
887
    while ((pos < len) && (!htp_is_space(data[pos])))
348
826
        pos++;
349
350
61
    int methodi = HTP_M_UNKNOWN;
351
61
    bstr *method = bstr_dup_mem(data + mstart, pos - mstart);
352
61
    if (method) {
353
61
        methodi = htp_convert_method_to_number(method);
354
61
        bstr_free(method);
355
61
    }
356
61
    if (methodi != HTP_M_UNKNOWN) {
357
#ifdef HTP_DEBUG
358
        fprint_raw_data(stderr, "htp_connp_REQ_CONNECT_PROBE_DATA: tunnel contains plain text HTTP", data, len);
359
#endif
360
22
        return htp_tx_state_request_complete(connp->in_tx);
361
39
    } else {
362
#ifdef HTP_DEBUG
363
        fprint_raw_data(stderr, "htp_connp_REQ_CONNECT_PROBE_DATA: tunnel is not HTTP", data, len);
364
#endif
365
39
        connp->in_status = HTP_STREAM_TUNNEL;
366
39
        connp->out_status = HTP_STREAM_TUNNEL;
367
39
    }
368
369
    // not calling htp_connp_req_clear_buffer, we're not consuming the data
370
371
39
    return HTP_OK;
372
61
}
373
374
/**
375
 * Determines whether inbound parsing, which was suspended after
376
 * encountering a CONNECT transaction, can proceed (after receiving
377
 * the response).
378
 *
379
 * @param[in] connp
380
 * @return HTP_OK if the parser can resume parsing, HTP_DATA_OTHER if
381
 *         it needs to continue waiting.
382
 */
383
1.30k
htp_status_t htp_connp_REQ_CONNECT_WAIT_RESPONSE(htp_connp_t *connp) {
384
    // Check that we saw the response line of the current inbound transaction.
385
1.30k
    if (connp->in_tx->response_progress <= HTP_RESPONSE_LINE) {
386
1.02k
        return HTP_DATA_OTHER;
387
1.02k
    }
388
389
    // A 2xx response means a tunnel was established. Anything
390
    // else means we continue to follow the HTTP stream.
391
276
    if ((connp->in_tx->response_status_number >= 200) && (connp->in_tx->response_status_number <= 299)) {
392
        // TODO Check that the server did not accept a connection to itself.
393
394
        // The requested tunnel was established: we are going
395
        // to probe the remaining data on this stream to see
396
        // if we need to ignore it or parse it
397
81
        connp->in_state = htp_connp_REQ_CONNECT_PROBE_DATA;
398
195
    } else {
399
        // No tunnel; continue to the next transaction
400
195
        connp->in_state = htp_connp_REQ_FINALIZE;
401
195
    }
402
403
276
    return HTP_OK;
404
1.30k
}
405
406
/**
407
 * Consumes bytes until the end of the current line.
408
 *
409
 * @param[in] connp
410
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
411
 */
412
3.42k
htp_status_t htp_connp_REQ_BODY_CHUNKED_DATA_END(htp_connp_t *connp) {
413
    // TODO We shouldn't really see anything apart from CR and LF,
414
    //      so we should warn about anything else.
415
416
54.5k
    for (;;) {
417
54.5k
        IN_NEXT_BYTE_OR_RETURN(connp);
418
419
53.7k
        connp->in_tx->request_message_len++;
420
421
53.7k
        if (connp->in_next_byte == LF) {
422
2.69k
            connp->in_state = htp_connp_REQ_BODY_CHUNKED_LENGTH;
423
2.69k
            return HTP_OK;
424
2.69k
        }
425
53.7k
    }
426
427
0
    return HTP_ERROR;
428
3.42k
}
429
430
/**
431
 * Processes a chunk of data.
432
 *
433
 * @param[in] connp
434
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
435
 */
436
4.64k
htp_status_t htp_connp_REQ_BODY_CHUNKED_DATA(htp_connp_t *connp) {
437
    // Determine how many bytes we can consume.
438
4.64k
    size_t bytes_to_consume;
439
4.64k
    if (connp->in_current_len - connp->in_current_read_offset >= connp->in_chunked_length) {
440
        // Entire chunk available in the buffer; read all of it.
441
2.71k
        bytes_to_consume = connp->in_chunked_length;
442
2.71k
    } else {
443
        // Partial chunk available in the buffer; read as much as we can.
444
1.92k
        bytes_to_consume = connp->in_current_len - connp->in_current_read_offset;
445
1.92k
    }
446
447
    #ifdef HTP_DEBUG
448
    fprintf(stderr, "htp_connp_REQ_BODY_CHUNKED_DATA Consuming %zd bytes\n", bytes_to_consume);
449
    #endif
450
451
    // If the input buffer is empty, ask for more data.
452
4.64k
    if (bytes_to_consume == 0) return HTP_DATA;
453
454
    // Consume the data.
455
4.41k
    htp_status_t rc = htp_tx_req_process_body_data_ex(connp->in_tx, connp->in_current_data + connp->in_current_read_offset, bytes_to_consume);
456
4.41k
    if (rc != HTP_OK) return rc;
457
458
    // Adjust counters.
459
4.41k
    connp->in_current_read_offset += bytes_to_consume;
460
4.41k
    connp->in_current_consume_offset += bytes_to_consume;
461
4.41k
    connp->in_stream_offset += bytes_to_consume;
462
4.41k
    connp->in_tx->request_message_len += bytes_to_consume;
463
4.41k
    connp->in_chunked_length -= bytes_to_consume;
464
465
4.41k
    if (connp->in_chunked_length == 0) {
466
        // End of the chunk.
467
2.71k
        connp->in_state = htp_connp_REQ_BODY_CHUNKED_DATA_END;
468
2.71k
        return HTP_OK;
469
2.71k
    }
470
471
    // Ask for more data.
472
1.69k
    return HTP_DATA;
473
4.41k
}
474
475
/**
476
 * Extracts chunk length.
477
 *
478
 * @param[in] connp
479
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
480
 */
481
5.59k
htp_status_t htp_connp_REQ_BODY_CHUNKED_LENGTH(htp_connp_t *connp) {
482
84.0k
    for (;;) {
483
84.0k
        IN_COPY_BYTE_OR_RETURN(connp);
484
485
        // Have we reached the end of the line?
486
83.0k
        if (connp->in_next_byte == LF) {
487
4.56k
            unsigned char *data;
488
4.56k
            size_t len;
489
490
4.56k
            if (htp_connp_req_consolidate_data(connp, &data, &len) != HTP_OK) {
491
1
                return HTP_ERROR;
492
1
            }
493
494
4.56k
            connp->in_tx->request_message_len += len;
495
496
            #ifdef HTP_DEBUG
497
            fprint_raw_data(stderr, "Chunk length line", data, len);
498
            #endif
499
500
4.56k
            htp_chomp(data, &len);
501
502
4.56k
            int chunk_ext = 0;
503
4.56k
            connp->in_chunked_length = htp_parse_chunked_length(data, len, &chunk_ext);
504
4.56k
            if (chunk_ext == 1) {
505
176
                htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request chunk extension");
506
176
            }
507
508
4.56k
            htp_connp_req_clear_buffer(connp);
509
510
            // Handle chunk length.
511
4.56k
            if (connp->in_chunked_length > 0) {
512
                // More data available.                
513
2.78k
                connp->in_state = htp_connp_REQ_BODY_CHUNKED_DATA;
514
2.78k
            } else if (connp->in_chunked_length == 0) {
515
                // End of data.
516
1.71k
                connp->in_state = htp_connp_REQ_HEADERS;
517
1.71k
                connp->in_tx->request_progress = HTP_REQUEST_TRAILER;
518
1.71k
            } else {
519
                // Invalid chunk length.
520
74
                htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request chunk encoding: Invalid chunk length");
521
74
                return HTP_ERROR;
522
74
            }
523
524
4.49k
            return HTP_OK;
525
4.56k
        }
526
83.0k
    }
527
528
0
    return HTP_ERROR;
529
5.59k
}
530
531
/**
532
 * Processes identity request body.
533
 *
534
 * @param[in] connp
535
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
536
 */
537
18.1k
htp_status_t htp_connp_REQ_BODY_IDENTITY(htp_connp_t *connp) {
538
    // Determine how many bytes we can consume.
539
18.1k
    size_t bytes_to_consume;
540
18.1k
    if (connp->in_current_len - connp->in_current_read_offset >= connp->in_body_data_left) {
541
7.80k
        bytes_to_consume = connp->in_body_data_left;
542
10.3k
    } else {
543
10.3k
        bytes_to_consume = connp->in_current_len - connp->in_current_read_offset;
544
10.3k
    }
545
546
    // If the input buffer is empty, ask for more data.
547
18.1k
    if (bytes_to_consume == 0) return HTP_DATA;
548
549
    // Consume data.
550
17.2k
    int rc = htp_tx_req_process_body_data_ex(connp->in_tx, connp->in_current_data + connp->in_current_read_offset, bytes_to_consume);
551
17.2k
    if (rc != HTP_OK) return rc;
552
553
    // Adjust counters.
554
17.2k
    connp->in_current_read_offset += bytes_to_consume;
555
17.2k
    connp->in_current_consume_offset += bytes_to_consume;
556
17.2k
    connp->in_stream_offset += bytes_to_consume;
557
17.2k
    connp->in_tx->request_message_len += bytes_to_consume;
558
17.2k
    connp->in_body_data_left -= bytes_to_consume;
559
560
17.2k
    if (connp->in_body_data_left == 0) {
561
        // End of request body.
562
7.80k
        connp->in_state = htp_connp_REQ_FINALIZE;
563
7.80k
        return HTP_OK;
564
7.80k
    }
565
566
    // Ask for more data.
567
9.46k
    return HTP_DATA;
568
17.2k
}
569
570
/**
571
 * Determines presence (and encoding) of a request body.
572
 *
573
 * @param[in] connp
574
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
575
 */
576
172k
htp_status_t htp_connp_REQ_BODY_DETERMINE(htp_connp_t *connp) {
577
    // Determine the next state based on the presence of the request
578
    // body, and the coding used.
579
172k
    switch (connp->in_tx->request_transfer_coding) {
580
581
1.90k
        case HTP_CODING_CHUNKED:
582
1.90k
            connp->in_state = htp_connp_REQ_BODY_CHUNKED_LENGTH;
583
1.90k
            connp->in_tx->request_progress = HTP_REQUEST_BODY;
584
1.90k
            break;
585
586
12.4k
        case HTP_CODING_IDENTITY:
587
12.4k
            connp->in_content_length = connp->in_tx->request_content_length;
588
12.4k
            connp->in_body_data_left = connp->in_content_length;
589
590
12.4k
            if (connp->in_content_length != 0) {
591
8.26k
                connp->in_state = htp_connp_REQ_BODY_IDENTITY;
592
8.26k
                connp->in_tx->request_progress = HTP_REQUEST_BODY;
593
8.26k
            } else {
594
4.18k
                connp->in_tx->connp->in_state = htp_connp_REQ_FINALIZE;
595
4.18k
            }
596
12.4k
            break;
597
598
157k
        case HTP_CODING_NO_BODY:
599
            // This request does not have a body, which
600
            // means that we're done with it
601
157k
            connp->in_state = htp_connp_REQ_FINALIZE;
602
157k
            break;
603
604
150
        default:
605
            // Should not be here
606
150
            return HTP_ERROR;
607
0
            break;
608
172k
    }
609
610
172k
    return HTP_OK;
611
172k
}
612
613
/**
614
 * Parses request headers.
615
 *
616
 * @param[in] connp
617
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
618
 */
619
269k
htp_status_t htp_connp_REQ_HEADERS(htp_connp_t *connp) {
620
48.1M
    for (;;) {
621
48.1M
        if (connp->in_status == HTP_STREAM_CLOSED) {
622
            // Parse previous header, if any.
623
1.65k
            if (connp->in_header != NULL) {
624
418
                if (connp->cfg->process_request_header(connp, bstr_ptr(connp->in_header),
625
418
                                                       bstr_len(connp->in_header)) != HTP_OK)
626
0
                    return HTP_ERROR;
627
418
                bstr_free(connp->in_header);
628
418
                connp->in_header = NULL;
629
418
            }
630
631
1.65k
            htp_connp_req_clear_buffer(connp);
632
633
1.65k
            connp->in_tx->request_progress = HTP_REQUEST_TRAILER;
634
635
            // We've seen all the request headers.
636
1.65k
            return htp_tx_state_request_headers(connp->in_tx);
637
1.65k
        }
638
48.1M
        IN_COPY_BYTE_OR_RETURN(connp);
639
640
        // Have we reached the end of the line?
641
48.0M
        if (connp->in_next_byte == LF) {
642
1.11M
            unsigned char *data;
643
1.11M
            size_t len;
644
645
1.11M
            if (htp_connp_req_consolidate_data(connp, &data, &len) != HTP_OK) {
646
3
                return HTP_ERROR;
647
3
            }
648
649
            #ifdef HTP_DEBUG
650
            fprint_raw_data(stderr, __func__, data, len);
651
            #endif           
652
653
            // Should we terminate headers?
654
1.11M
            if (htp_connp_is_line_terminator(connp, data, len, 0)) {
655
                // Parse previous header, if any.
656
176k
                if (connp->in_header != NULL) {
657
21.8k
                    if (connp->cfg->process_request_header(connp, bstr_ptr(connp->in_header),
658
21.8k
                            bstr_len(connp->in_header)) != HTP_OK) return HTP_ERROR;
659
660
21.8k
                    bstr_free(connp->in_header);
661
21.8k
                    connp->in_header = NULL;
662
21.8k
                }
663
664
176k
                htp_connp_req_clear_buffer(connp);
665
666
                // We've seen all the request headers.
667
176k
                return htp_tx_state_request_headers(connp->in_tx);
668
176k
            }
669
670
937k
            htp_chomp(data, &len);
671
672
            // Check for header folding.
673
937k
            if (htp_connp_is_line_folded(data, len) == 0) {
674
                // New header line.
675
676
                // Parse previous header, if any.
677
756k
                if (connp->in_header != NULL) {
678
110k
                    if (connp->cfg->process_request_header(connp, bstr_ptr(connp->in_header),
679
110k
                            bstr_len(connp->in_header)) != HTP_OK) return HTP_ERROR;
680
681
110k
                    bstr_free(connp->in_header);
682
110k
                    connp->in_header = NULL;
683
110k
                }
684
685
756k
                IN_PEEK_NEXT(connp);
686
687
756k
                if (connp->in_next_byte != -1 && htp_is_folding_char(connp->in_next_byte) == 0) {
688
                    // Because we know this header is not folded, we can process the buffer straight away.
689
639k
                    if (connp->cfg->process_request_header(connp, data, len) != HTP_OK) return HTP_ERROR;
690
639k
                } else {
691
                    // Keep the partial header data for parsing later.
692
116k
                    connp->in_header = bstr_dup_mem(data, len);
693
116k
                    if (connp->in_header == NULL) return HTP_ERROR;
694
116k
                }
695
756k
            } else {
696
                // Folding; check that there's a previous header line to add to.
697
181k
                if (connp->in_header == NULL) {
698
                    // Invalid folding.
699
700
                    // Warn only once per transaction.
701
17.1k
                    if (!(connp->in_tx->flags & HTP_INVALID_FOLDING)) {
702
16.4k
                        connp->in_tx->flags |= HTP_INVALID_FOLDING;
703
16.4k
                        htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Invalid request field folding");
704
16.4k
                    }
705
706
                    // Keep the header data for parsing later.
707
17.1k
                    size_t trim = 0;
708
58.8k
                    while(trim < len) {
709
55.4k
                        if (!htp_is_folding_char(data[trim])) {
710
13.7k
                            break;
711
13.7k
                        }
712
41.7k
                        trim++;
713
41.7k
                    }
714
17.1k
                    connp->in_header = bstr_dup_mem(data + trim, len - trim);
715
17.1k
                    if (connp->in_header == NULL) return HTP_ERROR;
716
164k
                } else {
717
                    // Add to the existing header.
718
164k
                    if (bstr_len(connp->in_header) < HTP_MAX_HEADER_FOLDED) {
719
164k
                        bstr *new_in_header = bstr_add_mem(connp->in_header, data, len);
720
164k
                        if (new_in_header == NULL) return HTP_ERROR;
721
164k
                        connp->in_header = new_in_header;
722
164k
                    } else {
723
251
                        htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request field length exceeds folded maximum");
724
251
                    }
725
164k
                }
726
181k
            }
727
728
937k
            htp_connp_req_clear_buffer(connp);
729
937k
        }
730
48.0M
    }
731
732
0
    return HTP_ERROR;
733
269k
}
734
735
// HTTP/0.9 is supposed to be only a request line without protocol.
736
// Libhtp will still consider the request to be HTTP/0.9 if there
737
// are some junk whitespaces after that request line.
738
// Libhtp allows the small value of 16 extra bytes/whitespaces,
739
// otherwise we consider it to be a HTTP/1.x request with missing protocol.
740
// It is unlikely to meet HTTP/0.9, and we want to limit probing.
741
100k
#define HTTP09_MAX_JUNK_LEN 16
742
743
/**
744
 * Determines request protocol.
745
 *
746
 * @param[in] connp
747
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
748
 */
749
185k
htp_status_t htp_connp_REQ_PROTOCOL(htp_connp_t *connp) {
750
    // Is this a short-style HTTP/0.9 request? If it is,
751
    // we will not want to parse request headers.
752
185k
    if (connp->in_tx->is_protocol_0_9 == 0) {
753
        // Switch to request header parsing.
754
84.8k
        connp->in_state = htp_connp_REQ_HEADERS;
755
84.8k
        connp->in_tx->request_progress = HTP_REQUEST_HEADERS;
756
100k
    } else {
757
        // Let's check if the protocol was simply missing
758
100k
        int64_t pos = connp->in_current_read_offset;
759
        // Probe if data looks like a header line
760
100k
        if (connp->in_current_len > connp->in_current_read_offset + HTTP09_MAX_JUNK_LEN) {
761
88.4k
            htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line: missing protocol");
762
88.4k
            connp->in_tx->is_protocol_0_9 = 0;
763
            // Switch to request header parsing.
764
88.4k
            connp->in_state = htp_connp_REQ_HEADERS;
765
88.4k
            connp->in_tx->request_progress = HTP_REQUEST_HEADERS;
766
88.4k
            return HTP_OK;
767
88.4k
        }
768
23.4k
        while (pos < connp->in_current_len) {
769
19.1k
            if (!htp_is_space(connp->in_current_data[pos])) {
770
7.91k
                htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line: missing protocol");
771
7.91k
                connp->in_tx->is_protocol_0_9 = 0;
772
                // Switch to request header parsing.
773
7.91k
                connp->in_state = htp_connp_REQ_HEADERS;
774
7.91k
                connp->in_tx->request_progress = HTP_REQUEST_HEADERS;
775
7.91k
                return HTP_OK;
776
7.91k
            }
777
11.1k
            pos++;
778
11.1k
        }
779
        // We're done with this request.
780
4.33k
        connp->in_state = htp_connp_REQ_FINALIZE;
781
4.33k
    }
782
783
89.2k
    return HTP_OK;
784
185k
}
785
786
/**
787
 * Parse the request line.
788
 *
789
 * @param[in] connp
790
 * @returns HTP_OK on succesful parse, HTP_ERROR on error.
791
 */
792
525k
htp_status_t htp_connp_REQ_LINE_complete(htp_connp_t *connp) {
793
525k
    unsigned char *data;
794
525k
    size_t len;
795
796
525k
    if (htp_connp_req_consolidate_data(connp, &data, &len) != HTP_OK) {
797
2
        return HTP_ERROR;
798
2
    }
799
800
    #ifdef HTP_DEBUG
801
    fprint_raw_data(stderr, __func__, data, len);
802
    #endif
803
525k
    if (len == 0) {
804
50
        htp_connp_req_clear_buffer(connp);
805
50
        return HTP_DATA;
806
50
    }
807
808
    // Is this a line that should be ignored?
809
524k
    if (htp_connp_is_line_ignorable(connp, data, len)) {
810
        // We have an empty/whitespace line, which we'll note, ignore and move on.
811
339k
        connp->in_tx->request_ignored_lines++;
812
813
339k
        htp_connp_req_clear_buffer(connp);
814
815
339k
        return HTP_OK;
816
339k
    }
817
818
    // Process request line.
819
820
185k
    htp_chomp(data, &len);
821
822
185k
    connp->in_tx->request_line = bstr_dup_mem(data, len);
823
185k
    if (connp->in_tx->request_line == NULL)
824
0
        return HTP_ERROR;
825
826
185k
    if (connp->cfg->parse_request_line(connp) != HTP_OK)
827
0
        return HTP_ERROR;
828
829
    // Finalize request line parsing.
830
831
185k
    if (htp_tx_state_request_line(connp->in_tx) != HTP_OK)
832
0
        return HTP_ERROR;
833
834
185k
    htp_connp_req_clear_buffer(connp);
835
836
185k
    return HTP_OK;
837
185k
}
838
839
/**
840
 * Parses request line.
841
 *
842
 * @param[in] connp
843
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
844
 */
845
596k
htp_status_t htp_connp_REQ_LINE(htp_connp_t *connp) {
846
15.6M
    for (;;) {
847
        // Get one byte
848
15.6M
        IN_PEEK_NEXT(connp);
849
15.6M
        if (connp->in_status == HTP_STREAM_CLOSED && connp->in_next_byte == -1) {
850
2.05k
            return htp_connp_REQ_LINE_complete(connp);
851
2.05k
        }
852
15.6M
        IN_COPY_BYTE_OR_RETURN(connp);
853
854
        // Have we reached the end of the line?
855
15.5M
        if (connp->in_next_byte == LF) {
856
522k
            return htp_connp_REQ_LINE_complete(connp);
857
522k
        }
858
15.5M
    }
859
860
0
    return HTP_ERROR;
861
596k
}
862
863
1.76M
htp_status_t htp_connp_REQ_FINALIZE(htp_connp_t *connp) {
864
1.76M
    if (connp->in_status != HTP_STREAM_CLOSED) {
865
1.75M
        IN_PEEK_NEXT(connp);
866
1.75M
        if (connp->in_next_byte == -1) {
867
55.7k
            return htp_tx_state_request_complete(connp->in_tx);
868
55.7k
        }
869
1.69M
        if (connp->in_next_byte != LF || connp->in_current_consume_offset >= connp->in_current_read_offset) {
870
38.3M
            for (;;) {//;i < max_read; i++) {
871
                // peek until LF but do not mark it read so that REQ_LINE works
872
38.3M
                IN_PEEK_NEXT(connp);
873
38.3M
                if (connp->in_next_byte == LF)
874
1.63M
                    break;
875
36.7M
                IN_COPY_BYTE_OR_RETURN(connp);
876
36.6M
            }
877
1.69M
        }
878
1.69M
    }
879
880
1.64M
    unsigned char *data;
881
1.64M
    size_t len;
882
1.64M
    if (htp_connp_req_consolidate_data(connp, &data, &len) != HTP_OK) {
883
5
        return HTP_ERROR;
884
5
    }
885
#ifdef HTP_DEBUG
886
    fprint_raw_data(stderr, "PROBING request finalize", data, len);
887
#endif
888
1.64M
    if (len == 0) {
889
        //closing
890
126k
        return htp_tx_state_request_complete(connp->in_tx);
891
126k
    }
892
893
1.51M
    size_t pos = 0;
894
1.51M
    size_t mstart = 0;
895
    // skip past leading whitespace. IIS allows this
896
1.71M
    while ((pos < len) && htp_is_space(data[pos]))
897
194k
        pos++;
898
1.51M
    if (pos)
899
134k
        mstart = pos;
900
    // The request method starts at the beginning of the
901
    // line and ends with the first whitespace character.
902
14.0M
    while ((pos < len) && (!htp_is_space(data[pos])))
903
12.4M
        pos++;
904
905
1.51M
    if (pos > mstart) {
906
        //non empty whitespace line
907
1.41M
        int methodi = HTP_M_UNKNOWN;
908
1.41M
        bstr *method = bstr_dup_mem(data + mstart, pos - mstart);
909
1.41M
        if (method) {
910
1.41M
            methodi = htp_convert_method_to_number(method);
911
1.41M
            bstr_free(method);
912
1.41M
        }
913
1.41M
        if (methodi != HTP_M_UNKNOWN) {
914
18.3k
            connp->in_body_data_left = -1;
915
18.3k
            return htp_tx_state_request_complete(connp->in_tx);
916
18.3k
        } // else continue
917
1.39M
        if (connp->in_body_data_left <= 0) {
918
            // log only once per transaction
919
1.39M
            htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Unexpected request body");
920
1.39M
        } else {
921
0
            connp->in_body_data_left = 1;
922
0
        }
923
1.39M
    }
924
    //Adds linefeed to the buffer if there was one
925
1.49M
    if (connp->in_next_byte == LF) {
926
1.49M
        IN_COPY_BYTE_OR_RETURN(connp);
927
1.49M
        htp_connp_req_consolidate_data(connp, &data, &len);
928
1.49M
    }
929
    // Interpret remaining bytes as body data
930
1.49M
    htp_status_t rc = htp_tx_req_process_body_data_ex(connp->in_tx, data, len);
931
1.49M
    htp_connp_req_clear_buffer(connp);
932
1.49M
    return rc;
933
1.49M
}
934
935
16.5k
htp_status_t htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9(htp_connp_t *connp) {
936
    // Consume whatever is left in the buffer.
937
938
16.5k
    size_t bytes_left = connp->in_current_len - connp->in_current_read_offset;
939
940
16.5k
    if (bytes_left > 0) {
941
9.48k
        connp->conn->flags |= HTP_CONN_HTTP_0_9_EXTRA;
942
9.48k
    }
943
944
16.5k
    connp->in_current_read_offset += bytes_left;
945
16.5k
    connp->in_current_consume_offset += bytes_left;
946
16.5k
    connp->in_stream_offset += bytes_left;
947
948
16.5k
    return HTP_DATA;
949
16.5k
}
950
951
/**
952
 * The idle state is where the parser will end up after a transaction is processed.
953
 * If there is more data available, a new request will be started.
954
 *
955
 * @param[in] connp
956
 * @returns HTP_OK on state change, HTP_ERROR on error, or HTP_DATA when more data is needed.
957
 */
958
254k
htp_status_t htp_connp_REQ_IDLE(htp_connp_t * connp) {
959
    // We want to start parsing the next request (and change
960
    // the state from IDLE) only if there's at least one
961
    // byte of data available. Otherwise we could be creating
962
    // new structures even if there's no more data on the
963
    // connection.
964
254k
    IN_TEST_NEXT_BYTE_OR_RETURN(connp);
965
966
190k
    connp->in_tx = htp_connp_tx_create(connp);
967
190k
    if (connp->in_tx == NULL) return HTP_ERROR;
968
969
    // Change state to TRANSACTION_START
970
190k
    htp_tx_state_request_start(connp->in_tx);
971
972
190k
    return HTP_OK;
973
190k
}
974
975
/**
976
 * Returns how many bytes from the current data chunks were consumed so far.
977
 *
978
 * @param[in] connp
979
 * @return The number of bytes consumed.
980
 */
981
421k
size_t htp_connp_req_data_consumed(htp_connp_t *connp) {
982
421k
    return connp->in_current_read_offset;
983
421k
}
984
985
329k
int htp_connp_req_data(htp_connp_t *connp, const htp_time_t *timestamp, const void *data, size_t len) {
986
    #ifdef HTP_DEBUG
987
    fprintf(stderr, "htp_connp_req_data(connp->in_status %x)\n", connp->in_status);
988
    fprint_raw_data(stderr, __func__, data, len);
989
    #endif
990
991
    // Return if the connection is in stop state.
992
329k
    if (connp->in_status == HTP_STREAM_STOP) {
993
0
        htp_log(connp, HTP_LOG_MARK, HTP_LOG_INFO, 0, "Inbound parser is in HTP_STREAM_STOP");
994
0
        return HTP_STREAM_STOP;
995
0
    }
996
997
    // Return if the connection had a fatal error earlier
998
329k
    if (connp->in_status == HTP_STREAM_ERROR) {
999
178
        htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Inbound parser is in HTP_STREAM_ERROR");
1000
1001
        #ifdef HTP_DEBUG
1002
        fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_DATA (previous error)\n");
1003
        #endif
1004
1005
178
        return HTP_STREAM_ERROR;
1006
178
    }
1007
1008
    // Sanity check: we must have a transaction pointer if the state is not IDLE (no inbound transaction)
1009
329k
    if ((connp->in_tx == NULL)&&
1010
71.4k
        (connp->in_state != htp_connp_REQ_IDLE && connp->in_state != htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9)) {
1011
32
        connp->in_status = HTP_STREAM_ERROR;
1012
1013
32
        htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Missing inbound transaction data");
1014
1015
32
        return HTP_STREAM_ERROR;
1016
32
    }
1017
1018
    // If the length of the supplied data chunk is zero, proceed
1019
    // only if the stream has been closed. We do not allow zero-sized
1020
    // chunks in the API, but we use them internally to force the parsers
1021
    // to finalize parsing.
1022
329k
    if (len == 0 && connp->in_status != HTP_STREAM_CLOSED) {
1023
0
        htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Zero-length data chunks are not allowed");
1024
1025
        #ifdef HTP_DEBUG
1026
        fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_DATA (zero-length chunk)\n");
1027
        #endif
1028
1029
0
        return HTP_STREAM_CLOSED;
1030
0
    }
1031
1032
    // Remember the timestamp of the current request data chunk
1033
329k
    if (timestamp != NULL) {
1034
329k
        memcpy(&connp->in_timestamp, timestamp, sizeof (*timestamp));
1035
329k
    }
1036
1037
    // Store the current chunk information    
1038
329k
    connp->in_current_data = (unsigned char *) data;
1039
329k
    connp->in_current_len = len;
1040
329k
    connp->in_current_read_offset = 0;
1041
329k
    connp->in_current_consume_offset = 0;
1042
329k
    connp->in_current_receiver_offset = 0;
1043
329k
    connp->in_chunk_count++;
1044
1045
329k
    htp_conn_track_inbound_data(connp->conn, len, timestamp);
1046
1047
1048
    // Return without processing any data if the stream is in tunneling
1049
    // mode (which it would be after an initial CONNECT transaction).
1050
329k
    if (connp->in_status == HTP_STREAM_TUNNEL) {
1051
        #ifdef HTP_DEBUG
1052
        fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_TUNNEL\n");
1053
        #endif
1054
1055
2.47k
        return HTP_STREAM_TUNNEL;
1056
2.47k
    }
1057
1058
326k
    if (connp->out_status == HTP_STREAM_DATA_OTHER) {
1059
81
        connp->out_status = HTP_STREAM_DATA;
1060
81
    }
1061
1062
    // Invoke a processor, in a loop, until an error
1063
    // occurs or until we run out of data. Many processors
1064
    // will process a request, each pointing to the next
1065
    // processor that needs to run.
1066
3.46M
    for (;;) {
1067
        #ifdef HTP_DEBUG
1068
        fprintf(stderr, "htp_connp_req_data: in state=%s, progress=%s\n",
1069
                htp_connp_in_state_as_string(connp),
1070
                htp_tx_request_progress_as_string(connp->in_tx));
1071
        #endif
1072
1073
        // Return if there's been an error or if we've run out of data. We are relying
1074
        // on processors to supply error messages, so we'll keep quiet here.
1075
1076
3.46M
        htp_status_t rc;
1077
        //handle gap
1078
3.46M
        if (data == NULL && len > 0) {
1079
            //cannot switch over a function pointer in C
1080
3.40k
            if (connp->in_state == htp_connp_REQ_BODY_IDENTITY ||
1081
3.36k
                connp->in_state == htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9) {
1082
107
                rc = connp->in_state(connp);
1083
3.29k
            } else if (connp->in_state == htp_connp_REQ_FINALIZE) {
1084
                //simple version without probing
1085
483
                rc = htp_tx_state_request_complete(connp->in_tx);
1086
2.81k
            } else {
1087
                // go to htp_connp_REQ_CONNECT_PROBE_DATA ?
1088
2.81k
                htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Gaps are not allowed during this state");
1089
2.81k
                return HTP_STREAM_CLOSED;
1090
2.81k
            }
1091
3.46M
        } else {
1092
3.46M
            rc = connp->in_state(connp);
1093
3.46M
        }
1094
3.46M
        if (rc == HTP_OK) {
1095
3.14M
            if (connp->in_status == HTP_STREAM_TUNNEL) {
1096
                #ifdef HTP_DEBUG
1097
                fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_TUNNEL\n");
1098
                #endif
1099
1100
39
                return HTP_STREAM_TUNNEL;
1101
39
            }
1102
1103
3.14M
            rc = htp_req_handle_state_change(connp);
1104
3.14M
        }
1105
1106
3.46M
        if (rc != HTP_OK) {
1107
            // Do we need more data?
1108
324k
            if ((rc == HTP_DATA) || (rc == HTP_DATA_BUFFER)) {
1109
319k
                htp_connp_req_receiver_send_data(connp, 0 /* not last */);
1110
1111
319k
                if (rc == HTP_DATA_BUFFER) {
1112
226k
                    if (htp_connp_req_buffer(connp) != HTP_OK) {
1113
10
                        connp->in_status = HTP_STREAM_ERROR;
1114
10
                        return HTP_STREAM_ERROR;
1115
10
                    }
1116
226k
                }
1117
1118
                #ifdef HTP_DEBUG
1119
                fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_DATA\n");
1120
                #endif
1121
1122
319k
                connp->in_status = HTP_STREAM_DATA;
1123
1124
319k
                return HTP_STREAM_DATA;
1125
319k
            }
1126
1127
            // Check for suspended parsing.
1128
4.05k
            if (rc == HTP_DATA_OTHER) {
1129
                // We might have actually consumed the entire data chunk?
1130
3.78k
                if (connp->in_current_read_offset >= connp->in_current_len) {
1131
                    // Do not send STREAM_DATE_DATA_OTHER if we've consumed the entire chunk.
1132
1133
                    #ifdef HTP_DEBUG
1134
                    fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_DATA (suspended parsing)\n");
1135
                    #endif
1136
1137
2.68k
                    connp->in_status = HTP_STREAM_DATA;
1138
1139
2.68k
                    return HTP_STREAM_DATA;
1140
2.68k
                } else {
1141
                    // Partial chunk consumption.
1142
1143
                    #ifdef HTP_DEBUG
1144
                    fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_DATA_OTHER\n");
1145
                    #endif
1146
1147
1.09k
                    connp->in_status = HTP_STREAM_DATA_OTHER;
1148
1149
1.09k
                    return HTP_STREAM_DATA_OTHER;
1150
1.09k
                }
1151
3.78k
            }
1152
1153
            // Check for the stop signal.
1154
267
            if (rc == HTP_STOP) {
1155
                #ifdef HTP_DEBUG
1156
                fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_STOP\n");
1157
                #endif
1158
1159
0
                connp->in_status = HTP_STREAM_STOP;
1160
1161
0
                return HTP_STREAM_STOP;
1162
0
            }
1163
1164
            #ifdef HTP_DEBUG
1165
            fprintf(stderr, "htp_connp_req_data: returning HTP_STREAM_ERROR\n");
1166
            #endif
1167
1168
            // Permanent stream error.
1169
267
            connp->in_status = HTP_STREAM_ERROR;
1170
1171
267
            return HTP_STREAM_ERROR;
1172
267
        }
1173
3.46M
    }
1174
326k
}