From 3063851d85528c05991cfa6678a39079a24e56ea Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 13 Jul 2017 10:28:48 -0600 Subject: [PATCH] rust/dns/tcp - probe even if payload is short As the DNS probe just uses the query portion of a response, don't require there to be as many bytes as specified in the TCP DNS header. This can occur in large responses where probe is called without all the data. Fixes the cases where the app proto is recorded as failed. Fixes issue: https://redmine.openinfosecfoundation.org/issues/2169 --- rust/src/dns/dns.rs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs index 9c69642451..b599eda54f 100644 --- a/rust/src/dns/dns.rs +++ b/rust/src/dns/dns.rs @@ -545,10 +545,8 @@ fn probe(input: &[u8]) -> bool { /// Probe TCP input to see if it looks like DNS. pub fn probe_tcp(input: &[u8]) -> bool { match nom::be_u16(input) { - nom::IResult::Done(rem, len) => { - if rem.len() >= len as usize { - return probe(rem); - } + nom::IResult::Done(rem, _) => { + return probe(rem); }, _ => {} } -- 2.47.2