From: Victor Julien Date: Sun, 26 Feb 2017 18:56:38 +0000 (+0100) Subject: app-layer: fix gap handling in protocol detection X-Git-Tag: suricata-4.0.0-beta1~261 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbbf18517378a326e0bd2f72f7ce7d5c2232493a;p=thirdparty%2Fsuricata.git app-layer: fix gap handling in protocol detection A GAP during protocol detection would lead to all reassembly getting disabled, so also the raw reassembly. In addition, it could prevent the opposing side from doing protocol detection. This patch remove the 'disable reassembly' logic. Stream engine will take the stream with GAP and app-layer will make the proto detection as complete. --- diff --git a/src/app-layer.c b/src/app-layer.c index 471f358b5d..8cbb86838d 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -560,7 +560,6 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx; AppProto alproto; - uint8_t dir; int r = 0; SCLogDebug("data_len %u flags %02X", data_len, flags); @@ -571,10 +570,8 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, if (flags & STREAM_TOSERVER) { alproto = f->alproto_ts; - dir = 0; } else { alproto = f->alproto_tc; - dir = 1; } /* if we don't know the proto yet and we have received a stream @@ -583,7 +580,6 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, * only run the proto detection once. */ if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_GAP)) { StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream); - StreamTcpSetSessionNoReassemblyFlag(ssn, dir); SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f); } else if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) { diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c index a3896435ae..9632c116bd 100644 --- a/src/stream-tcp-reassemble.c +++ b/src/stream-tcp-reassemble.c @@ -2903,7 +2903,7 @@ int StreamTcpReassembleAppLayer (ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, /* this function can be directly called by app layer protocol * detection. */ - if (stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) { + if (stream->flags & (STREAMTCP_STREAM_FLAG_NOREASSEMBLY|STREAMTCP_STREAM_FLAG_GAP)) { SCLogDebug("stream no reassembly flag set. Mostly called via " "app proto detection."); SCReturnInt(0);