From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 11 Mar 2021 21:17:13 +0000 (+0100)
Subject: rdp: correctly returns incomplete in parse_tc
X-Git-Tag: suricata-6.0.3~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F6099%2Fhead;p=thirdparty%2Fsuricata.git

rdp: correctly returns incomplete in parse_tc

Adding the already consumed bytes
In case an incomplete tls handshake is handled with/after
a refular rdp t123_tpkt

(cherry picked from commit 6da9a37285a50b513077e5c88094f8112740ffcb)
---

diff --git a/rust/src/rdp/rdp.rs b/rust/src/rdp/rdp.rs
index fac136b6e3..89e08db4ae 100644
--- a/rust/src/rdp/rdp.rs
+++ b/rust/src/rdp/rdp.rs
@@ -360,7 +360,14 @@ impl RdpState {
                     Err(nom::Err::Failure(_)) | Err(nom::Err::Error(_)) => {
                         if probe_tls_handshake(available) {
                             self.tls_parsing = true;
-                            return self.parse_tc(available);
+                            let r = self.parse_tc(available);
+                            if r.status == 1 {
+                                //adds bytes already consumed to incomplete result
+                                let consumed = (input.len() - available.len()) as u32;
+                                return AppLayerResult::incomplete(r.consumed + consumed, r.needed);
+                            } else {
+                                return r;
+                            }
                         } else {
                             return AppLayerResult::err();
                         }