From: Pranav Bhalerao (prbhaler) <prbhaler@cisco.com>
Date: Wed, 9 Jun 2021 17:28:56 +0000 (+0000)
Subject: Merge pull request #2924 in SNORT/snort3 from ~AMARNAYA/snort3:sunRPC_port_based_bind... 
X-Git-Tag: 3.1.6.0~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c68a892bbf3c1579eb2c127e88ef973327e815ea;p=thirdparty%2Fsnort3.git

Merge pull request #2924 in SNORT/snort3 from ~AMARNAYA/snort3:sunRPC_port_based_binder to master

Squashed commit of the following:

commit 86d3a6674f7dc15467d9cc4513226d11b2fe3d25
Author: Amarnath Nayak <amarnaya@cisco.com>
Date:   Fri Jun 4 13:16:52 2021 -0400

    ips_options: fix intrusion alerts generation for tcp rpc PORTMAP traffic when rpc_decode is bound to the flow
---

diff --git a/src/ips_options/ips_rpc.cc b/src/ips_options/ips_rpc.cc
index ed4485af1..829afcca3 100644
--- a/src/ips_options/ips_rpc.cc
+++ b/src/ips_options/ips_rpc.cc
@@ -132,7 +132,7 @@ bool RpcOption::is_match(Packet* p)
 {
     const uint8_t* packet_data = p->data;
 
-    if ( p->is_tcp() )
+    if ( p->is_tcp() || p->is_data() )
         packet_data += 4;  // skip unused frag header
 
     packet_data += 4;  // skip unused xid
@@ -162,7 +162,7 @@ uint32_t RpcOption::get_int(const uint8_t*& data)
 // check if the packet type and size are valid
 bool RpcOption::is_valid(Packet* p)
 {
-    if ( p->is_tcp() )
+    if ( p->is_tcp() || p->is_data() )
         return p->dsize >= 28;
 
     else if ( p->is_udp() )