From 6bef5fda06d756663bdf07f94761ae5d23cc1966 Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <anoopsaldanha@gmail.com>
Date: Mon, 9 Sep 2013 16:55:13 +0530
Subject: [PATCH] If we have proto mismatch from 2 directions, use one of the
 protos, instead of erroring out and not sending the data further to the
 parser.

The logic we use currently is if we have already sent some data to
a parser before we figure out we have a proto mismatch, we use the
proto from the first direction from which we have already sent the
data to the parser, else we stick to the the to client direction.
---
 src/app-layer.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/app-layer.c b/src/app-layer.c
index f42f09e9d4..6e9b3bed3b 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -185,11 +185,19 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
             if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
                 AppLayerDecoderEventsSetEventRaw(p->app_layer_events,
                                                  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
-                f->alproto = f->alproto_ts = f->alproto_tc = ALPROTO_UNKNOWN;
                 FlowSetSessionNoApplayerInspectionFlag(f);
                 StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
                 StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
-            } else {
+                if (ssn->data_first_seen_dir == 0x01) {
+                    f->alproto = *alproto = *alproto_otherdir;
+                } else {
+                    if (flags & STREAM_TOCLIENT)
+                        f->alproto = *alproto_otherdir = *alproto;
+                    else
+                        f->alproto = *alproto = *alproto_otherdir;
+                }
+            }
+
                 f->alproto = *alproto;
                 StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
 
@@ -242,7 +250,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
                 r = AppLayerParse(dp_ctx->alproto_local_storage[*alproto], f, *alproto, flags, data + data_al_so_far, data_len - data_al_so_far);
                 PACKET_PROFILING_APP_END(dp_ctx, *alproto);
                 f->data_al_so_far[dir] = 0;
-            }
+
         } else {
             if (*alproto_otherdir != ALPROTO_UNKNOWN) {
                 PACKET_PROFILING_APP_START(dp_ctx, *alproto_otherdir);
@@ -2177,9 +2185,9 @@ static int AppLayerTest07(void)
         goto end;
     if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
         !StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
-        f.alproto != ALPROTO_UNKNOWN ||
-        f.alproto_ts != ALPROTO_UNKNOWN ||
-        f.alproto_tc != ALPROTO_UNKNOWN ||
+        f.alproto != ALPROTO_HTTP ||
+        f.alproto_ts != ALPROTO_HTTP ||
+        f.alproto_tc != ALPROTO_HTTP ||
         f.data_al_so_far[0] != 0 ||
         f.data_al_so_far[1] != 0 ||
         !(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
@@ -2415,9 +2423,9 @@ static int AppLayerTest08(void)
         goto end;
     if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
         !StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
-        f.alproto != ALPROTO_UNKNOWN ||
-        f.alproto_ts != ALPROTO_UNKNOWN ||
-        f.alproto_tc != ALPROTO_UNKNOWN ||
+        f.alproto != ALPROTO_DCERPC ||
+        f.alproto_ts != ALPROTO_DCERPC ||
+        f.alproto_tc != ALPROTO_DCERPC ||
         f.data_al_so_far[0] != 0 ||
         f.data_al_so_far[1] != 0 ||
         !(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
-- 
2.47.3