From: Victor Julien <victor@inliniac.net>
Date: Fri, 10 Nov 2017 22:03:16 +0000 (+0100)
Subject: stream/app-layer: fix GAP handling issue
X-Git-Tag: suricata-4.0.6~56
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=b6d0a4ee4212738935fee636febcafccba96c4ef;p=thirdparty%2Fsuricata.git

stream/app-layer: fix GAP handling issue

Fix case where data after GAP was processed as in order data by app-layer.
This happened even if protocol parser did not register to accept GAPs.
---

diff --git a/src/app-layer.c b/src/app-layer.c
index 7b22a38461..e765f800cf 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -565,12 +565,15 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
         if (alproto == ALPROTO_UNKNOWN) {
             StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
             SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
-        } else {
-            PACKET_PROFILING_APP_START(app_tctx, f->alproto);
-            r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
-                                    flags, data, data_len);
-            PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+            /* if the other side didn't already find the proto, we're done */
+            if (f->alproto == ALPROTO_UNKNOWN)
+                goto end;
+
         }
+        PACKET_PROFILING_APP_START(app_tctx, f->alproto);
+        r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
+                flags, data, data_len);
+        PACKET_PROFILING_APP_END(app_tctx, f->alproto);
         goto end;
     }
 
diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 4665a9b1a3..e249d729d0 100644
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -980,7 +980,7 @@ static int ReassembleUpdateAppLayer (ThreadVars *tv,
         if (mydata == NULL && mydata_len > 0 && CheckGap(ssn, stream, p)) {
             SCLogDebug("sending GAP to app-layer (size: %u)", mydata_len);
 
-            AppLayerHandleTCPData(tv, ra_ctx, p, p->flow, ssn, stream,
+            int r = AppLayerHandleTCPData(tv, ra_ctx, p, p->flow, ssn, stream,
                     NULL, mydata_len,
                     StreamGetAppLayerFlags(ssn, stream, p, dir)|STREAM_GAP);
             AppLayerProfilingStore(ra_ctx->app_tctx, p);
@@ -990,6 +990,9 @@ static int ReassembleUpdateAppLayer (ThreadVars *tv,
 
             stream->app_progress_rel += mydata_len;
             app_progress += mydata_len;
+            if (r < 0)
+                break;
+
             continue;
         } else if (mydata == NULL || mydata_len == 0) {
             /* Possibly a gap, but no new data. */