From dbbf18517378a326e0bd2f72f7ce7d5c2232493a Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 26 Feb 2017 19:56:38 +0100 Subject: [PATCH] app-layer: fix gap handling in protocol detection A GAP during protocol detection would lead to all reassembly getting disabled, so also the raw reassembly. In addition, it could prevent the opposing side from doing protocol detection. This patch remove the 'disable reassembly' logic. Stream engine will take the stream with GAP and app-layer will make the proto detection as complete. --- src/app-layer.c | 4 ---- src/stream-tcp-reassemble.c | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/app-layer.c b/src/app-layer.c index 471f358b5d..8cbb86838d 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -560,7 +560,6 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx; AppProto alproto; - uint8_t dir; int r = 0; SCLogDebug("data_len %u flags %02X", data_len, flags); @@ -571,10 +570,8 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, if (flags & STREAM_TOSERVER) { alproto = f->alproto_ts; - dir = 0; } else { alproto = f->alproto_tc; - dir = 1; } /* if we don't know the proto yet and we have received a stream @@ -583,7 +580,6 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, * only run the proto detection once. */ if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_GAP)) { StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream); - StreamTcpSetSessionNoReassemblyFlag(ssn, dir); SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f); } else if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) { diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c index a3896435ae..9632c116bd 100644 --- a/src/stream-tcp-reassemble.c +++ b/src/stream-tcp-reassemble.c @@ -2903,7 +2903,7 @@ int StreamTcpReassembleAppLayer (ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, /* this function can be directly called by app layer protocol * detection. */ - if (stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) { + if (stream->flags & (STREAMTCP_STREAM_FLAG_NOREASSEMBLY|STREAMTCP_STREAM_FLAG_GAP)) { SCLogDebug("stream no reassembly flag set. Mostly called via " "app proto detection."); SCReturnInt(0); -- 2.47.2