From 89d229c76fb4ff923777829ae13c4e3fc11e1cb9 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 14 Aug 2024 16:17:36 +0200
Subject: [PATCH] frames: do not rely on FRAME_STREAM_ID

As it is not always the first frame to be created :
if it is not enabled, it does not get created, and other enabled
frames may be created first. see use of FrameConfigTypeIsEnabled

This resulted that this other frame got its length updated
on stream end, which led to false positives.

Resorting on FRAME_STREAM_TYPE is more consistent.

Ticket: 7213
---
 src/app-layer-frames.h | 2 --
 src/app-layer-parser.c | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/app-layer-frames.h b/src/app-layer-frames.h
index 2eb3143316..f49bead57b 100644
--- a/src/app-layer-frames.h
+++ b/src/app-layer-frames.h
@@ -28,8 +28,6 @@
 
 /** max 63 to fit the 64 bit per protocol space */
 #define FRAME_STREAM_TYPE 63
-/** always the first frame to be created. TODO but what about protocol upgrades? */
-#define FRAME_STREAM_ID 1
 
 typedef int64_t FrameId;
 
diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index bb1666a28c..bcf2e392f5 100644
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -1210,7 +1210,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t
     if (((direction == 0 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TS) == 0) ||
                 (direction == 1 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TC) == 0)) &&
             input != NULL && f->proto == IPPROTO_TCP) {
-        Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID);
+        Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
         if (frame == NULL) {
             int64_t frame_len = -1;
             if (flags & STREAM_EOF)
@@ -1231,7 +1231,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t
             }
         }
     } else if (flags & STREAM_EOF) {
-        Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID);
+        Frame *frame = AppLayerFrameGetLastOpenByType(f, direction, FRAME_STREAM_TYPE);
         SCLogDebug("EOF closing: frame %p", frame);
         if (frame) {
             /* calculate final frame length */
-- 
2.47.2