+ * If there is no memory left for buffering the content, or the buffer limit
+ * has been reached, switch to non-filtering mode, i.e. make & write the
+ * header, flush the iob and buf, and get out of the way.
+ */
+ if (add_to_iob(csp->iob, csp->config->buffer_limit, csp->receive_buffer, len))
+ {
+ size_t hdrlen;
+ long flushed;
+
+ log_error(LOG_LEVEL_INFO,
+ "Flushing header and buffers. Stepping back from filtering.");
+
+ hdr = list_to_text(csp->headers);
+ if (hdr == NULL)
+ {
+ /*
+ * Memory is too tight to even generate the header.
+ * Send our static "Out-of-memory" page.
+ */
+ log_error(LOG_LEVEL_ERROR, "Out of memory while trying to flush.");
+ rsp = cgi_error_memory();
+ send_crunch_response(csp, rsp);
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+ hdrlen = strlen(hdr);
+
+#ifdef FEATURE_HTTPS_INSPECTION
+ /*
+ * Sending data with standard or secured connection (HTTP/HTTPS)
+ */
+ if (client_use_ssl(csp))
+ {
+ if ((ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)hdr, hdrlen, get_write_delay(csp)) < 0)
+ || ((flushed = ssl_flush_socket(&(csp->mbedtls_client_attr.ssl),
+ csp->iob)) < 0)
+ || (ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)csp->receive_buffer, (size_t)len,
+ get_write_delay(csp)) < 0))
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Flush header and buffers to client failed");
+ freez(hdr);
+ mark_server_socket_tainted(csp);
+ close_client_and_server_ssl_connections(csp);
+ return;
+ }
+ }
+ else
+#endif /* def FEATURE_HTTPS_INSPECTION */
+ {
+ if (write_socket_delayed(csp->cfd, hdr, hdrlen, write_delay)
+ || ((flushed = flush_iob(csp->cfd, csp->iob, write_delay)) < 0)
+ || write_socket_delayed(csp->cfd, csp->receive_buffer, (size_t)len,
+ write_delay))
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Flush header and buffers to client failed: %E");
+ freez(hdr);
+ mark_server_socket_tainted(csp);
+ return;
+ }
+ }
+
+ /*
+ * Reset the byte_count to the amount of bytes
+ * we just flushed. len will be added a few lines below,
+ * hdrlen doesn't matter for LOG_LEVEL_CLF.
+ */
+ byte_count = (unsigned long long)flushed;
+ freez(hdr);
+ buffer_and_filter_content = 0;
+ server_body = 1;
+ }
+ }
+ else
+ {
+#ifdef FEATURE_HTTPS_INSPECTION
+ /*
+ * Sending data with standard or secured connection (HTTP/HTTPS)
+ */
+ if (client_use_ssl(csp))
+ {
+ ret = ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)csp->receive_buffer, (size_t)len,
+ get_write_delay(csp));
+ if (ret < 0)
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "Sending data to client failed");
+ mark_server_socket_tainted(csp);
+ close_client_and_server_ssl_connections(csp);
+ return;
+ }
+ }
+ else
+#endif /* def FEATURE_HTTPS_INSPECTION */
+ {
+ if (write_socket_delayed(csp->cfd, csp->receive_buffer,
+ (size_t)len, write_delay))
+ {
+ log_error(LOG_LEVEL_ERROR, "write to client failed: %E");
+ mark_server_socket_tainted(csp);
+ return;
+ }
+ }
+ }
+ byte_count += (unsigned long long)len;
+ continue;
+ }
+ else
+ {
+ /*
+ * We're still looking for the end of the server's header.
+ * Buffer up the data we just read. If that fails, there's
+ * little we can do but send our static out-of-memory page.
+ */
+ if (add_to_iob(csp->iob, csp->config->buffer_limit, csp->receive_buffer, len))
+ {
+ log_error(LOG_LEVEL_ERROR, "Out of memory while looking for end of server headers.");
+ rsp = cgi_error_memory();
+ send_crunch_response(csp, rsp);
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+
+ /* Convert iob into something sed() can digest */
+ if (JB_ERR_PARSE == get_server_headers(csp))
+ {
+ if (ms_iis5_hack)
+ {
+ /*
+ * Well, we tried our MS IIS/5 hack and it didn't work.
+ * The header is incomplete and there isn't anything
+ * we can do about it.
+ */
+ log_error(LOG_LEVEL_ERROR, "Invalid server headers. "
+ "Applying the MS IIS5 hack didn't help.");
+ log_error(LOG_LEVEL_CLF,
+ "%s - - [%T] \"%s\" 502 0", csp->ip_addr_str, http->cmd);
+#ifdef FEATURE_HTTPS_INSPECTION
+ /*
+ * Sending data with standard or secured connection (HTTP/HTTPS)
+ */
+ if (client_use_ssl(csp))
+ {
+ ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)INVALID_SERVER_HEADERS_RESPONSE,
+ strlen(INVALID_SERVER_HEADERS_RESPONSE), get_write_delay(csp));
+ }
+ else
+#endif /* def FEATURE_HTTPS_INSPECTION */
+ {
+ write_socket_delayed(csp->cfd,
+ INVALID_SERVER_HEADERS_RESPONSE,
+ strlen(INVALID_SERVER_HEADERS_RESPONSE), write_delay);
+ }
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+ else
+ {
+ /*
+ * Since we have to wait for more from the server before
+ * we can parse the headers we just continue here.
+ */
+ log_error(LOG_LEVEL_CONNECT,
+ "Continuing buffering server headers from socket %d. "
+ "Bytes most recently read: %d.", csp->cfd, len);
+ continue;
+ }
+ }
+ else
+ {
+ /*
+ * Account for the content bytes we
+ * might have gotten with the headers.
+ */
+ assert(csp->iob->eod >= csp->iob->cur);
+ byte_count = (unsigned long long)(csp->iob->eod - csp->iob->cur);
+ }
+
+ /* Did we actually get anything? */
+ if (NULL == csp->headers->first)
+ {
+ if ((csp->flags & CSP_FLAG_REUSED_CLIENT_CONNECTION))
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "No server or forwarder response received on socket %d. "
+ "Closing client socket %d without sending data.",
+ csp->server_connection.sfd, csp->cfd);
+ log_error(LOG_LEVEL_CLF,
+ "%s - - [%T] \"%s\" 502 0", csp->ip_addr_str, http->cmd);
+ }
+ else
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "No server or forwarder response received on socket %d.",
+ csp->server_connection.sfd);
+ send_crunch_response(csp, error_response(csp, "no-server-data"));
+ }
+ free_http_request(http);
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+
+ if (!csp->headers->first->str)
+ {
+ log_error(LOG_LEVEL_ERROR, "header search: csp->headers->first->str == NULL, assert will be called");
+ }
+ assert(csp->headers->first->str);
+
+ if (strncmpic(csp->headers->first->str, "HTTP", 4) &&
+ strncmpic(csp->headers->first->str, "ICY", 3))
+ {
+ /*
+ * It doesn't look like a HTTP (or Shoutcast) response:
+ * tell the client and log the problem.
+ */
+ if (strlen(csp->headers->first->str) > 30)
+ {
+ csp->headers->first->str[30] = '\0';
+ }
+ log_error(LOG_LEVEL_ERROR,
+ "Invalid server or forwarder response. Starts with: %s",
+ csp->headers->first->str);
+ log_error(LOG_LEVEL_CLF,
+ "%s - - [%T] \"%s\" 502 0", csp->ip_addr_str, http->cmd);
+#ifdef FEATURE_HTTPS_INSPECTION
+ /*
+ * Sending data with standard or secured connection (HTTP/HTTPS)
+ */
+ if (client_use_ssl(csp))
+ {
+ ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)INVALID_SERVER_HEADERS_RESPONSE,
+ strlen(INVALID_SERVER_HEADERS_RESPONSE),
+ get_write_delay(csp));
+ }
+ else
+#endif /* def FEATURE_HTTPS_INSPECTION */
+ {
+ write_socket_delayed(csp->cfd, INVALID_SERVER_HEADERS_RESPONSE,
+ strlen(INVALID_SERVER_HEADERS_RESPONSE), write_delay);
+ }
+ free_http_request(http);
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+
+ /*
+ * We have now received the entire server header,
+ * filter it and send the result to the client
+ */
+ if (JB_ERR_OK != sed(csp, FILTER_SERVER_HEADERS))
+ {
+ log_error(LOG_LEVEL_CLF,
+ "%s - - [%T] \"%s\" 502 0", csp->ip_addr_str, http->cmd);
+#ifdef FEATURE_HTTPS_INSPECTION
+ /*
+ * Sending data with standard or secured connection (HTTP/HTTPS)
+ */
+ if (client_use_ssl(csp))
+ {
+ ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)INVALID_SERVER_HEADERS_RESPONSE,
+ strlen(INVALID_SERVER_HEADERS_RESPONSE),
+ get_write_delay(csp));
+ }
+ else
+#endif
+ {
+ write_socket_delayed(csp->cfd, INVALID_SERVER_HEADERS_RESPONSE,
+ strlen(INVALID_SERVER_HEADERS_RESPONSE), write_delay);
+ }
+ free_http_request(http);
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+ hdr = list_to_text(csp->headers);
+ if (hdr == NULL)
+ {
+ /* FIXME Should handle error properly */
+ log_error(LOG_LEVEL_FATAL, "Out of memory parsing server header");
+ }
+
+ if ((csp->flags & CSP_FLAG_CHUNKED)
+ && !(csp->flags & CSP_FLAG_CONTENT_LENGTH_SET)
+ && ((csp->iob->eod - csp->iob->cur) >= 5)
+ && !memcmp(csp->iob->eod-5, "0\r\n\r\n", 5))
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Looks like we got the last chunk together with "
+ "the server headers. We better stop reading.");
+ byte_count = (unsigned long long)(csp->iob->eod - csp->iob->cur);
+ csp->expected_content_length = byte_count;
+ csp->flags |= CSP_FLAG_CONTENT_LENGTH_SET;
+ }
+
+ csp->server_connection.response_received = time(NULL);
+
+ if (crunch_response_triggered(csp, crunchers_light))
+ {
+ /*
+ * One of the tags created by a server-header
+ * tagger triggered a crunch. We already
+ * delivered the crunch response to the client
+ * and are done here after cleaning up.
+ */
+ freez(hdr);
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+
+ /* Buffer and pcrs filter this if appropriate. */
+ buffer_and_filter_content = content_requires_filtering(csp);
+
+ if (!buffer_and_filter_content)
+ {
+ /*
+ * Write the server's (modified) header to
+ * the client (along with anything else that
+ * may be in the buffer). Use standard or secured
+ * connection.