From: Victor Julien Date: Fri, 17 Jul 2015 19:05:14 +0000 (+0200) Subject: detect: fix pass transaction handling X-Git-Tag: suricata-3.0RC1~228 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ef0ebb24b2a8f762e1545eddab47c2c1778490e;p=thirdparty%2Fsuricata.git detect: fix pass transaction handling If a flow was 'pass'd, it means that no packet of it will flow be handled by the detection engine. A side effect of this was that the per flow inspect_id would never be moved forward. This in turn lead to a situation where transactions wouldn't be freed. This patch addresses this case by incrementing the inspect_id anyway for the pass case. --- diff --git a/src/detect.c b/src/detect.c index d40b91bb1a..e98fd311db 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1939,9 +1939,30 @@ TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQue DEBUG_VALIDATE_PACKET(p); /* No need to perform any detection on this packet, if the the given flag is set.*/ - if ((p->flags & PKT_NOPACKET_INSPECTION) || (PACKET_TEST_ACTION(p, - ACTION_DROP))) + if ((p->flags & PKT_NOPACKET_INSPECTION) || + (PACKET_TEST_ACTION(p, ACTION_DROP))) + { + /* hack: if we are in pass the entire flow mode, we need to still + * update the inspect_id forward. So test for the condition here, + * and call the update code if necessary. */ + if (p->flow) { + uint8_t flags = 0; + FLOWLOCK_RDLOCK(p->flow); + int pass = ((p->flow->flags & FLOW_NOPACKET_INSPECTION)); + flags = FlowGetDisruptionFlags(p->flow, flags); + AppProto alproto = FlowGetAppProtocol(p->flow); + FLOWLOCK_UNLOCK(p->flow); + if (pass && AppLayerParserProtocolSupportsTxs(p->proto, alproto)) { + if (p->flowflags & FLOW_PKT_TOSERVER) { + flags |= STREAM_TOSERVER; + } else { + flags |= STREAM_TOCLIENT; + } + DeStateUpdateInspectTransactionId(p->flow, flags); + } + } return 0; + } DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data; if (det_ctx == NULL) {