From: Victor Julien <victor@inliniac.net>
Date: Tue, 21 Nov 2017 09:31:58 +0000 (+0100)
Subject: enip: support gaps
X-Git-Tag: suricata-4.1.0-beta1~282
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=700781c53b847eb73e35742a3b44b934d4fda9e6;p=thirdparty%2Fsuricata.git

enip: support gaps

Due to a bug in the GAP handling the TCP layer the parser would already
get data after GAPs before.
---

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 44a3e5a3ac..4a89be0be2 100644
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -323,6 +323,9 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate,
             APP_LAYER_PARSER_EOF))
     {
         SCReturnInt(1);
+    } else if (input == NULL && input_len != 0) {
+        // GAP
+        SCReturnInt(0);
     } else if (input == NULL || input_len == 0)
     {
         SCReturnInt(-1);
@@ -526,6 +529,11 @@ void RegisterENIPTCPParsers(void)
 
         AppLayerParserRegisterParserAcceptableDataDirection(IPPROTO_TCP,
                 ALPROTO_ENIP, STREAM_TOSERVER | STREAM_TOCLIENT);
+
+        /* This parser accepts gaps. */
+        AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_ENIP,
+                APP_LAYER_PARSER_OPT_ACCEPT_GAPS);
+
     } else
     {
         SCLogConfig("Parser disabled for %s protocol. Protocol detection still on.",