From: Jason Ish <ish@unx.ca>
Date: Thu, 13 Jul 2017 16:28:48 +0000 (-0600)
Subject: rust/dns/tcp - probe even if payload is short
X-Git-Tag: suricata-4.0.0~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2838%2Fhead;p=thirdparty%2Fsuricata.git

rust/dns/tcp - probe even if payload is short

As the DNS probe just uses the query portion of a response, don't
require there to be as many bytes as specified in the TCP DNS
header. This can occur in large responses where probe is called
without all the data.

Fixes the cases where the app proto is recorded as failed.

Fixes issue:
https://redmine.openinfosecfoundation.org/issues/2169
---

diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
index 9c69642451..b599eda54f 100644
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@@ -545,10 +545,8 @@ fn probe(input: &[u8]) -> bool {
 /// Probe TCP input to see if it looks like DNS.
 pub fn probe_tcp(input: &[u8]) -> bool {
     match nom::be_u16(input) {
-        nom::IResult::Done(rem, len) => {
-            if rem.len() >= len as usize {
-                return probe(rem);
-            }
+        nom::IResult::Done(rem, _) => {
+            return probe(rem);
         },
         _ => {}
     }