frames: do not only rely on FRAME_STREAM_ID

As stream frame is not always created,
hence the first frame is not always a stream frame :
If stream frame is not enabled, it does not get created,
and other enabled frames may be created first.
See use of FrameConfigTypeIsEnabled

This resulted that this other frame got its length updated
on stream end, which led to false positives.

Also checking FRAME_STREAM_TYPE is more consistent.

Not a clean cherry-pick as AppLayerFrameGetLastOpenByType
does not exist in main7

Ticket: 7213

diff --git a/src/app-layer-frames.h b/src/app-layer-frames.h
index 65ba5b6a691957e7a4c03a2a968a2fc744221d3a..31ec4d4c6c9c2a251675dd3513c9d01bceddabb4 100644 (file)
--- a/src/app-layer-frames.h
+++ b/src/app-layer-frames.h
@@ -28,8 +28,6 @@
 
 /** max 63 to fit the 64 bit per protocol space */
 #define FRAME_STREAM_TYPE 63
-/** always the first frame to be created. TODO but what about protocol upgrades? */
-#define FRAME_STREAM_ID 1
 
 typedef int64_t FrameId;
 

diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index e9b84ed6d37c7e2b73c9f094f2cf81a3c0f65648..11ee4d64001d14bcacd54dcc9c3b7257ff422689 100644 (file)
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -1238,6 +1238,9 @@ static inline void SetEOFFlags(AppLayerParserState *pstate, const uint8_t flags)
     }
 }
 
+// if there is a stream frame, it should always be the first
+#define FRAME_STREAM_ID 1
+
 /** \internal
  *  \brief create/close stream frames
  *  On first invocation of TCP parser in a direction, create a <alproto>.stream frame.
@@ -1253,7 +1256,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t
                 (direction == 1 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TC) == 0)) &&
             input != NULL && f->proto == IPPROTO_TCP) {
         Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID);
-        if (frame == NULL) {
+        if (frame == NULL || frame->type != FRAME_STREAM_TYPE) {
             int64_t frame_len = -1;
             if (flags & STREAM_EOF)
                 frame_len = input_len;
@@ -1275,7 +1278,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t
     } else if (flags & STREAM_EOF) {
         Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID);
         SCLogDebug("EOF closing: frame %p", frame);
-        if (frame) {
+        if (frame && frame->type == FRAME_STREAM_TYPE) {
             /* calculate final frame length */
             int64_t slice_o = (int64_t)stream_slice.offset - (int64_t)frame->offset;
             int64_t frame_len = slice_o + (int64_t)input_len;