From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 2 Feb 2021 13:44:43 +0000 (+0100)
Subject: fuzz: more precise assertion for protocol detection
X-Git-Tag: suricata-7.0.0-beta1~1750
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52ea3fc7ac0269c3b0970a2b9ddbd83062652fe2;p=thirdparty%2Fsuricata.git

fuzz: more precise assertion for protocol detection

Only in the cases of stream start is the assertion valable.
Otherwise, it can only be best effort.
---

diff --git a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c
index bca53e1488..0a8095c8ae 100644
--- a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c
+++ b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c
@@ -55,8 +55,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     f->protomap = FlowGetProtoMapping(f->proto);
 
     alproto = AppLayerProtoDetectGetProto(alpd_tctx, f, data+HEADER_LEN, size-HEADER_LEN, f->proto, data[0], &reverse);
-    if (alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_FAILED && f->proto == IPPROTO_TCP) {
-        /* If we find a valid protocol :
+    if (alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_FAILED && f->proto == IPPROTO_TCP &&
+            (data[0] & STREAM_MIDSTREAM) == 0) {
+        /* If we find a valid protocol at the start of a stream :
          * check that with smaller input
          * we find the same protocol or ALPROTO_UNKNOWN.
          * Otherwise, we have evasion with TCP splitting