From: Jason Ish <ish@unx.ca>
Date: Thu, 13 Sep 2018 19:09:20 +0000 (-0600)
Subject: defrag: remove fragments that have complete overlap
X-Git-Tag: suricata-4.1.0-rc2~63
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa986786621d7c722eac822a3fd1ae4f703209b8;p=thirdparty%2Fsuricata.git

defrag: remove fragments that have complete overlap

Instead of just marking fragments that have been completely
overlapped and won't be part of the assembled packet, remove
them from the fragment tree when detected.
---

diff --git a/src/defrag.c b/src/defrag.c
index cb9fee2dce..317e3dcba0 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -298,7 +298,7 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
 
         if (frag->skip)
             continue;
-        if (frag->data_len - frag->ltrim <= 0)
+        if (frag->ltrim >= frag->data_len)
             continue;
         if (frag->offset == 0) {
 
@@ -779,10 +779,23 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker,
             if (next != NULL) {
                 next = IP_FRAGMENTS_RB_NEXT(next);
             }
+            continue;
+
+        insert:
+            /* If existing fragment has been trimmed up completely
+             * (complete overlap), remove it now instead of holding
+             * onto it. */
+            if (prev->skip || prev->ltrim >= prev->data_len) {
+                RB_REMOVE(IP_FRAGMENTS, &tracker->fragment_tree, prev);
+                DefragFragReset(prev);
+                SCMutexLock(&defrag_context->frag_pool_lock);
+                PoolReturn(defrag_context->frag_pool, prev);
+                SCMutexUnlock(&defrag_context->frag_pool_lock);
+            }
+            break;
         }
     }
 
-insert:
     if (ltrim > data_len) {
         /* Full packet has been trimmed due to the overlap policy. Overlap
          * already set. */