From: Jason Ish <ish@unx.ca>
Date: Fri, 31 Aug 2018 04:59:56 +0000 (-0600)
Subject: template: add gap handling
X-Git-Tag: suricata-6.0.0-beta1~147
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7476399f432810e6aa1b71d453bc977f2bca2596;p=thirdparty%2Fsuricata.git

template: add gap handling
---

diff --git a/src/app-layer-template.c b/src/app-layer-template.c
index e4451e11c8..198fb432be 100644
--- a/src/app-layer-template.c
+++ b/src/app-layer-template.c
@@ -41,7 +41,7 @@
 #include "app-layer-template.h"
 
 #include "util-unittest.h"
-
+#include "util-validate.h"
 
 /* The default port to probe for echo traffic if not provided in the
  * configuration file. */
@@ -245,16 +245,22 @@ static AppLayerResult TemplateParseRequest(Flow *f, void *statev,
 
     SCLogNotice("Parsing template request: len=%"PRIu32, input_len);
 
-    /* Likely connection closed, we can just return here. */
-    if ((input == NULL || input_len == 0) &&
-        AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
-        SCReturnStruct(APP_LAYER_OK);
-    }
-
-    /* Probably don't want to create a transaction in this case
-     * either. */
-    if (input == NULL || input_len == 0) {
-        SCReturnStruct(APP_LAYER_OK);
+    if (input == NULL) {
+        if (AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
+            /* This is a signal that the stream is done. Do any
+             * cleanup if needed. Usually nothing is required here. */
+            SCReturnStruct(APP_LAYER_OK);
+        } else if (flags & STREAM_GAP) {
+            /* This is a signal that there has been a gap in the
+             * stream. This only needs to be handled if gaps were
+             * enabled during protocol registration. The input_len
+             * contains the size of the gap. */
+            SCReturnStruct(APP_LAYER_OK);
+        }
+        /* This should not happen. If input is NULL, one of the above should be
+         * true. */
+        DEBUG_VALIDATE_BUG_ON(true);
+        SCReturnStruct(APP_LAYER_ERROR);
     }
 
     /* Normally you would parse out data here and store it in the
@@ -564,6 +570,11 @@ void RegisterTemplateParsers(void)
             TemplateStateGetEventInfoById);
         AppLayerParserRegisterGetEventsFunc(IPPROTO_TCP, ALPROTO_TEMPLATE,
             TemplateGetEvents);
+
+        /* Leave this is if you parser can handle gaps, otherwise
+         * remove. */
+        AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_TEMPLATE,
+            APP_LAYER_PARSER_OPT_ACCEPT_GAPS);
     }
     else {
         SCLogNotice("Template protocol parsing disabled.");