From 50ee5e09c73147f439f342b8ea40c144bd717d5e Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 12 Sep 2024 13:07:48 +0200 Subject: [PATCH] frames: do not only rely on FRAME_STREAM_ID As stream frame is not always created, hence the first frame is not always a stream frame : If stream frame is not enabled, it does not get created, and other enabled frames may be created first. See use of FrameConfigTypeIsEnabled This resulted that this other frame got its length updated on stream end, which led to false positives. Also checking FRAME_STREAM_TYPE is more consistent. Not a clean cherry-pick as AppLayerFrameGetLastOpenByType does not exist in main7 Ticket: 7213 --- src/app-layer-frames.h | 2 -- src/app-layer-parser.c | 7 +++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/app-layer-frames.h b/src/app-layer-frames.h index 65ba5b6a69..31ec4d4c6c 100644 --- a/src/app-layer-frames.h +++ b/src/app-layer-frames.h @@ -28,8 +28,6 @@ /** max 63 to fit the 64 bit per protocol space */ #define FRAME_STREAM_TYPE 63 -/** always the first frame to be created. TODO but what about protocol upgrades? */ -#define FRAME_STREAM_ID 1 typedef int64_t FrameId; diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index e9b84ed6d3..11ee4d6400 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -1238,6 +1238,9 @@ static inline void SetEOFFlags(AppLayerParserState *pstate, const uint8_t flags) } } +// if there is a stream frame, it should always be the first +#define FRAME_STREAM_ID 1 + /** \internal * \brief create/close stream frames * On first invocation of TCP parser in a direction, create a .stream frame. @@ -1253,7 +1256,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t (direction == 1 && (pstate->flags & APP_LAYER_PARSER_SFRAME_TC) == 0)) && input != NULL && f->proto == IPPROTO_TCP) { Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID); - if (frame == NULL) { + if (frame == NULL || frame->type != FRAME_STREAM_TYPE) { int64_t frame_len = -1; if (flags & STREAM_EOF) frame_len = input_len; @@ -1275,7 +1278,7 @@ static void HandleStreamFrames(Flow *f, StreamSlice stream_slice, const uint8_t } else if (flags & STREAM_EOF) { Frame *frame = AppLayerFrameGetById(f, direction, FRAME_STREAM_ID); SCLogDebug("EOF closing: frame %p", frame); - if (frame) { + if (frame && frame->type == FRAME_STREAM_TYPE) { /* calculate final frame length */ int64_t slice_o = (int64_t)stream_slice.offset - (int64_t)frame->offset; int64_t frame_len = slice_o + (int64_t)input_len; -- 2.47.2