enip: support gaps

Due to a bug in the GAP handling the TCP layer the parser would already
get data after GAPs before.

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 37062e16fd05103848cf83f03542982a1874405a..7bc605e43df8da4e9dcfab9bdcdd5c9d0847937b 100644 (file)
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -323,6 +323,9 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate,
             APP_LAYER_PARSER_EOF))
     {
         SCReturnInt(1);
+    } else if (input == NULL && input_len != 0) {
+        // GAP
+        SCReturnInt(0);
     } else if (input == NULL || input_len == 0)
     {
         SCReturnInt(-1);
@@ -526,6 +529,11 @@ void RegisterENIPTCPParsers(void)
 
         AppLayerParserRegisterParserAcceptableDataDirection(IPPROTO_TCP,
                 ALPROTO_ENIP, STREAM_TOSERVER | STREAM_TOCLIENT);
+
+        /* This parser accepts gaps. */
+        AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_ENIP,
+                APP_LAYER_PARSER_OPT_ACCEPT_GAPS);
+
     } else
     {
         SCLogConfig("Parser disabled for %s protocol. Protocol detection still on.",