Add histograms for a number of hacks in the HTTP header parsing logic.

net/http/http_stream_parser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_parser.h"
 
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/strings/string_util.h"
 #include "base/values.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/upload_data_stream.h"
 #include "net/http/http_chunked_decoder.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/ssl_client_socket.h"
 
 namespace net {
 
 namespace {
 
+enum HttpHeaderParserEvent {
+  HEADER_PARSER_INVOKED = 0,
+  HEADER_HTTP_09_RESPONSE = 1,
+  HEADER_ALLOWED_TRUNCATED_HEADERS = 2,
+  HEADER_SKIPPED_WS_PREFIX = 3,
+  HEADER_SKIPPED_NON_WS_PREFIX = 4,
+  NUM_HEADER_EVENTS
+};
+
+void RecordHeaderParserEvent(HttpHeaderParserEvent header_event) {
+  UMA_HISTOGRAM_ENUMERATION("Net.HttpHeaderParserEvent", header_event,
+                            NUM_HEADER_EVENTS);
+}
+
 const uint64 kMaxMergedHeaderAndBodySize = 1400;
 const size_t kRequestBodyBufferSize = 1 << 14;  // 16KB
 
 std::string GetResponseHeaderLines(const HttpResponseHeaders& headers) {
   std::string raw_headers = headers.raw_headers();
   const char* null_separated_headers = raw_headers.c_str();
   const char* header_line = null_separated_headers;
   std::string cr_separated_headers;
   while (header_line[0] != 0) {
     cr_separated_headers += header_line;
@@ skipping 783 matching lines @@
     } else if (request_->url.SchemeIsSecure()) {
       // The connection was closed in the middle of the headers. For HTTPS we
       // don't parse partial headers. Return a different error code so that we
       // know that we shouldn't attempt to retry the request.
       io_state_ = STATE_DONE;
       return ERR_RESPONSE_HEADERS_TRUNCATED;
     }
     // Parse things as well as we can and let the caller decide what to do.
     int end_offset;
     if (response_header_start_offset_ >= 0) {
+      // The response looks to be a truncated set of HTTP headers.
       io_state_ = STATE_READ_BODY_COMPLETE;
       end_offset = read_buf_->offset();
+      RecordHeaderParserEvent(HEADER_ALLOWED_TRUNCATED_HEADERS);
     } else {
-      // Now waiting for the body to be read.
+      // The response is apparently using HTTP/0.9.  Treat the entire response
+      // the body.
       end_offset = 0;
     }
-    int rv = DoParseResponseHeaders(end_offset);
+    int rv = ParseResponseHeaders(end_offset);
     if (rv < 0)
       return rv;
     return result;
   }
 
   read_buf_->set_offset(read_buf_->offset() + result);
   DCHECK_LE(read_buf_->offset(), read_buf_->capacity());
   DCHECK_GE(result,  0);
 
-  int end_of_header_offset = ParseResponseHeaders();
+  int end_of_header_offset = FindAndParseResponseHeaders();
 
   // Note: -1 is special, it indicates we haven't found the end of headers.
   // Anything less than -1 is a net::Error, so we bail out.
   if (end_of_header_offset < -1)
     return end_of_header_offset;
 
   if (end_of_header_offset == -1) {
     io_state_ = STATE_READ_HEADERS;
     // Prevent growing the headers buffer indefinitely.
     if (read_buf_->offset() >= kMaxHeaderBufSize) {
@@ skipping 30 matching lines @@
       return OK;
     }
 
     // Note where the headers stop.
     read_buf_unused_offset_ = end_of_header_offset;
     // Now waiting for the body to be read.
   }
   return result;
 }
 
-int HttpStreamParser::ParseResponseHeaders() {
+int HttpStreamParser::FindAndParseResponseHeaders() {
   int end_offset = -1;
   DCHECK_EQ(0, read_buf_unused_offset_);
 
   // Look for the start of the status line, if it hasn't been found yet.
   if (response_header_start_offset_ < 0) {
     response_header_start_offset_ = HttpUtil::LocateStartOfStatusLine(
         read_buf_->StartOfBuffer(), read_buf_->offset());
   }
 
   if (response_header_start_offset_ >= 0) {
     end_offset = HttpUtil::LocateEndOfHeaders(read_buf_->StartOfBuffer(),
                                               read_buf_->offset(),
                                               response_header_start_offset_);
   } else if (read_buf_->offset() >= 8) {
     // Enough data to decide that this is an HTTP/0.9 response.
     // 8 bytes = (4 bytes of junk) + "http".length()
     end_offset = 0;
   }
 
   if (end_offset == -1)
     return -1;
 
-  int rv = DoParseResponseHeaders(end_offset);
+  int rv = ParseResponseHeaders(end_offset);
   if (rv < 0)
     return rv;
   return end_offset;
 }
 
-int HttpStreamParser::DoParseResponseHeaders(int end_offset) {
+int HttpStreamParser::ParseResponseHeaders(int end_offset) {
   scoped_refptr<HttpResponseHeaders> headers;
   DCHECK_EQ(0, read_buf_unused_offset_);
 
+  RecordHeaderParserEvent(HEADER_PARSER_INVOKED);
+
+  if (response_header_start_offset_ > 0) {
+    if (strspn(read_buf_->StartOfBuffer(), " \t\r\n") >=

[davidben, 2015/04/13 19:55:14]

I believe read_buf_ needn't be NUL-terminated, so this can read off the edge of
the buffer if it happens to be all whitespace. (Shouldn't this check be after
LocateEndOfHeaders is called? Seems this would also include cases where there
was slop in the buffer from the previous response.)

[mmenke, 2015/04/13 21:12:21]

This is certainly true...On the other hand, we *know* it contains "HTTP"
somewhere, since "response_header_start_offset_" is greater than 0, so it
doesn't have to be \0 terminated for this to work, for reasonable
implementations of strspn...Though depending on that is really weird.  Fixed.
This is only called after HttpUtil::LocateStartOfStatusLine is called, and finds
the start of the HTTP response.  Anything before that is the junk we're randomly
ignoring before the headers we're trying to parse.  Note that when the
HttpStreamParser is constructed, everything in the input buffer is after the end
of the previous response.

We only end up here when we've already called LocateEndOfHeaders, and determined
we don't have HTTP headers.  If we put this at line 938, we'd also miss the case
where we have truncated headers *and* skipped bytes before the header.

[davidben, 2015/04/14 23:41:39]

Oh, I see. StartOfBuffer is also where LocateStartOfStatusLine starts searching,
and we memmove on slop.

+        static_cast<size_t>(response_header_start_offset_)) {
+      RecordHeaderParserEvent(HEADER_SKIPPED_WS_PREFIX);
+    } else {
+      RecordHeaderParserEvent(HEADER_SKIPPED_NON_WS_PREFIX);
+    }
+  }
+
   if (response_header_start_offset_ >= 0) {
     received_bytes_ += end_offset;
     headers = new HttpResponseHeaders(HttpUtil::AssembleRawHeaders(
         read_buf_->StartOfBuffer(), end_offset));
   } else {
     // Enough data was read -- there is no status line.
     headers = new HttpResponseHeaders(std::string("HTTP/0.9 200 OK"));
+    RecordHeaderParserEvent(HEADER_HTTP_09_RESPONSE);
   }
 
   // Check for multiple Content-Length headers with no Transfer-Encoding header.
   // If they exist, and have distinct values, it's a potential response
   // smuggling attack.
   if (!headers->HasHeader("Transfer-Encoding")) {
     if (HeadersContainMultipleCopiesOfField(*headers.get(), "Content-Length"))
       return ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_LENGTH;
   }
 
@@ skipping 145 matching lines @@
       request_body->IsInMemory() &&
       request_body->size() > 0) {
     uint64 merged_size = request_headers.size() + request_body->size();
     if (merged_size <= kMaxMergedHeaderAndBodySize)
       return true;
   }
   return false;
 }
 
 }  // namespace net