From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 12 Sep 2024 11:07:48 +0000 (+0200)
Subject: frames: do not only rely on FRAME_STREAM_ID
X-Git-Tag: suricata-7.0.7~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50ee5e09c73147f439f342b8ea40c144bd717d5e;p=thirdparty%2Fsuricata.git

frames: do not only rely on FRAME_STREAM_ID

As stream frame is not always created,
hence the first frame is not always a stream frame :
If stream frame is not enabled, it does not get created,
and other enabled frames may be created first.
See use of FrameConfigTypeIsEnabled

This resulted that this other frame got its length updated
on stream end, which led to false positives.

Also checking FRAME_STREAM_TYPE is more consistent.

Not a clean cherry-pick as AppLayerFrameGetLastOpenByType
does not exist in main7

Ticket: 7213
---

diff --git a/src/app-layer-frames.h b/src/app-layer-frames.h
index 65ba5b6a69..31ec4d4c6c 100644
--- a/src/app-layer-frames.h
+++ b/src/app-layer-frames.h
@@ -28,8 +28,6 @@
 
 /** max 63 to fit the 64 bit per protocol space */
 #define FRAME_STREAM_TYPE 63
-/** always the first frame to be created. TODO but what about protocol upgrades? */
-#define FRAME_STREAM_ID 1
 
 typedef int64_t FrameId;
 
diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index e9b84ed6d3..11ee4d6400 100644
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -1238,6 +1238,9 @@ static inline void SetEOFFlags(AppLayerParserState *pstate, const uint8_t flags)
     }
 }
 
+// if there is a stream frame, it should always be the first
+#define FRAME_STREAM_ID 1
+
 /** \internal
  *  \brief create/close stream frames
  *  On first invocation of TCP parser in a direction, create a <alproto>.stream frame.
@@ -1253,7 +1256,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t
                 (direction == 1 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TC) == 0)) &&
             input != NULL && f->proto == IPPROTO_TCP) {
         Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID);
-        if (frame == NULL) {
+        if (frame == NULL || frame->type != FRAME_STREAM_TYPE) {
             int64_t frame_len = -1;
             if (flags & STREAM_EOF)
                 frame_len = input_len;
@@ -1275,7 +1278,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t
     } else if (flags & STREAM_EOF) {
         Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID);
         SCLogDebug("EOF closing: frame %p", frame);
-        if (frame) {
+        if (frame && frame->type == FRAME_STREAM_TYPE) {
             /* calculate final frame length */
             int64_t slice_o = (int64_t)stream_slice.offset - (int64_t)frame->offset;
             int64_t frame_len = slice_o + (int64_t)input_len;