From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 8 Sep 2020 07:23:24 +0000 (+0200)
Subject: applayer: keep running detection on protocol change
X-Git-Tag: suricata-6.0.0-rc1~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82f1758573b1d46124c24e633333b79cf1045c33;p=thirdparty%2Fsuricata.git

applayer: keep running detection on protocol change

ie do not stop on first try if we do not have enough data
---

diff --git a/src/app-layer.c b/src/app-layer.c
index 9ac05c7b19..001acf2d7d 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -635,10 +635,20 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
         AppLayerParserState *alparser = f->alparser;
         // we delay AppLayerParserStateCleanup because we may need previous parser state
         AppLayerProtoDetectReset(f);
+        StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
+        StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
         /* rerun protocol detection */
         int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
-        FlowUnsetChangeProtoFlag(f);
-        AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
+        if (f->alproto == ALPROTO_UNKNOWN) {
+            // not enough data, revert AppLayerProtoDetectReset to rerun detection
+            f->alparser = alparser;
+            f->alproto = f->alproto_orig;
+            f->alproto_tc = f->alproto_orig;
+            f->alproto_ts = f->alproto_orig;
+        } else {
+            FlowUnsetChangeProtoFlag(f);
+            AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
+        }
         if (rd != 0) {
             SCLogDebug("proto detect failure");
             f->alstate = NULL;