From d036374749e830977d209302bd4fda9e88d963ef Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 21 Nov 2017 10:31:58 +0100
Subject: [PATCH] enip: support gaps

Due to a bug in the GAP handling the TCP layer the parser would already
get data after GAPs before.
---
 src/app-layer-enip.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 37062e16fd..7bc605e43d 100644
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -323,6 +323,9 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate,
             APP_LAYER_PARSER_EOF))
     {
         SCReturnInt(1);
+    } else if (input == NULL && input_len != 0) {
+        // GAP
+        SCReturnInt(0);
     } else if (input == NULL || input_len == 0)
     {
         SCReturnInt(-1);
@@ -526,6 +529,11 @@ void RegisterENIPTCPParsers(void)
 
         AppLayerParserRegisterParserAcceptableDataDirection(IPPROTO_TCP,
                 ALPROTO_ENIP, STREAM_TOSERVER | STREAM_TOCLIENT);
+
+        /* This parser accepts gaps. */
+        AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_ENIP,
+                APP_LAYER_PARSER_OPT_ACCEPT_GAPS);
+
     } else
     {
         SCLogConfig("Parser disabled for %s protocol. Protocol detection still on.",
-- 
2.47.2