From 52ea3fc7ac0269c3b0970a2b9ddbd83062652fe2 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 2 Feb 2021 14:44:43 +0100 Subject: [PATCH] fuzz: more precise assertion for protocol detection Only in the cases of stream start is the assertion valable. Otherwise, it can only be best effort. --- src/tests/fuzz/fuzz_applayerprotodetectgetproto.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c index bca53e1488..0a8095c8ae 100644 --- a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c +++ b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c @@ -55,8 +55,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) f->protomap = FlowGetProtoMapping(f->proto); alproto = AppLayerProtoDetectGetProto(alpd_tctx, f, data+HEADER_LEN, size-HEADER_LEN, f->proto, data[0], &reverse); - if (alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_FAILED && f->proto == IPPROTO_TCP) { - /* If we find a valid protocol : + if (alproto != ALPROTO_UNKNOWN && alproto != ALPROTO_FAILED && f->proto == IPPROTO_TCP && + (data[0] & STREAM_MIDSTREAM) == 0) { + /* If we find a valid protocol at the start of a stream : * check that with smaller input * we find the same protocol or ALPROTO_UNKNOWN. * Otherwise, we have evasion with TCP splitting -- 2.47.2