From: Victor Julien <vjulien@oisf.net>
Date: Fri, 6 Dec 2024 13:15:34 +0000 (+0100)
Subject: flow/timeout: add frame awareness
X-Git-Tag: suricata-8.0.0-beta1~641
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1b0d00478ffd90e367675ca029b193caa8b5553;p=thirdparty%2Fsuricata.git

flow/timeout: add frame awareness

If there are still frames in the flow, the detection and logging logic
needs to be able to evaluate them. To do this, make the flow timeout
logic aware of the frames. If frames still exist in a direction, trigger
a FFR packet to be created.

Ticket: #7440.
---

diff --git a/src/flow-timeout.c b/src/flow-timeout.c
index e08c519537..afec5d3d81 100644
--- a/src/flow-timeout.c
+++ b/src/flow-timeout.c
@@ -59,6 +59,7 @@
 #include "detect-engine-state.h"
 #include "stream.h"
 
+#include "app-layer-frames.h"
 #include "app-layer-parser.h"
 #include "app-layer.h"
 
@@ -287,7 +288,6 @@ Packet *FlowPseudoPacketGet(int direction, Flow *f, const TcpSession *ssn)
  */
 bool FlowNeedsReassembly(Flow *f)
 {
-
     if (f == NULL || f->protoctx == NULL) {
         return false;
     }
@@ -318,6 +318,15 @@ bool FlowNeedsReassembly(Flow *f)
         }
     }
 
+    /* if any frame is present we assume it still needs work */
+    FramesContainer *frames_container = AppLayerFramesGetContainer(f);
+    if (frames_container) {
+        if (frames_container->toserver.cnt)
+            client = STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION;
+        if (frames_container->toclient.cnt)
+            server = STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION;
+    }
+
     /* nothing to do */
     if (client == STREAM_HAS_UNPROCESSED_SEGMENTS_NONE &&
         server == STREAM_HAS_UNPROCESSED_SEGMENTS_NONE) {