From bcb59b954838bac4eef9ff07266ad7df3e465454 Mon Sep 17 00:00:00 2001
From: "Nirmala Venkata Subbaiah -X (nirmvenk - XORIANT CORPORATION at Cisco)"
 <nirmvenk@cisco.com>
Date: Tue, 3 Jun 2025 15:28:10 +0000
Subject: [PATCH] Pull request #4749: main: DAQ verdict changes

Merge in SNORT/snort3 from ~NIRMVENK/snort3:daq_verdict to master

Squashed commit of the following:

commit a711df5547eb10f15e8ba654504824b962a1d7ec
Author: Nirmala Subbaiah <nirmvenk@cisco.com>
Date:   Wed May 14 11:53:50 2025 -0400

    main: clarify the DAQ verdict for inject
---
 src/main/analyzer.cc                                     | 4 +++-
 src/main/test/distill_verdict_stubs.h                    | 1 +
 src/protocols/packet.cc                                  | 7 +++++++
 src/protocols/packet.h                                   | 9 +++++++++
 src/protocols/test/decode_err_len_test.cc                | 2 ++
 src/protocols/test/get_geneve_opt_test.cc                | 2 ++
 .../http2_inspect/test/http2_hpack_int_decode_test.cc    | 2 ++
 .../http2_inspect/test/http2_hpack_string_decode_test.cc | 2 ++
 .../http_inspect/test/http_uri_norm_test.cc              | 2 ++
 src/stream/tcp/tcp_normalizer.cc                         | 3 +++
 10 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index fb2bc13a6..123e9fb53 100644
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -260,7 +260,7 @@ static DAQ_Verdict distill_verdict(Packet* p)
         // we never increase, only trim, but daq doesn't support resizing wire packet
         PacketManager::encode_update(p);
 
-        if ( p->daq_instance->inject(p->daq_msg, 0, p->pkt, p->pktlen) == DAQ_SUCCESS )
+        if ( p->inject() == DAQ_SUCCESS )
             verdict = DAQ_VERDICT_BLOCK;
         // FIXIT-M X Should we be blocking the wire packet even if the injection fails?
     }
@@ -317,6 +317,8 @@ static void packet_trace_dump(Packet* p, DAQ_Verdict verdict, bool msg_was_held)
         PacketTracer::log("Verdict: Queuing for Retry\n");
     else if (msg_was_held)
         PacketTracer::log("Verdict: Holding for Detection\n");
+    else if (verdict == DAQ_VERDICT_BLOCK and p->is_pkt_injected())
+        PacketTracer::log("Verdict: Inject, original packet dropped\n");
     else
         PacketTracer::log("Verdict: %s\n", SFDAQ::verdict_to_string(verdict));
     PacketTracer::dump(p);
diff --git a/src/main/test/distill_verdict_stubs.h b/src/main/test/distill_verdict_stubs.h
index a29a9f534..79d35c327 100644
--- a/src/main/test/distill_verdict_stubs.h
+++ b/src/main/test/distill_verdict_stubs.h
@@ -148,6 +148,7 @@ Packet::Packet(bool)
     packet_flags = PKT_FROM_CLIENT;
 }
 Packet::~Packet()  = default;
+int Packet::inject() { return 0; }
 IpsPolicy* get_ips_policy() { return nullptr; }
 void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { }
 void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { }
diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc
index 3e1140a9a..4d1d73621 100644
--- a/src/protocols/packet.cc
+++ b/src/protocols/packet.cc
@@ -30,6 +30,7 @@
 #include "log/obfuscator.h"
 #include "main/snort_config.h"
 #include "packet_io/active.h"
+#include "packet_io/sfdaq_instance.h"
 
 #include "packet_manager.h"
 #include "vlan.h"
@@ -322,5 +323,11 @@ bool Packet::is_from_application_server() const
         return is_from_server();
 }
 
+int Packet::inject()
+{
+    set_pkt_injected();
+    return daq_instance->inject(daq_msg, 0, pkt, pktlen);
+}
+
 } // namespace snort
 
diff --git a/src/protocols/packet.h b/src/protocols/packet.h
index 3376362d2..0fa595000 100644
--- a/src/protocols/packet.h
+++ b/src/protocols/packet.h
@@ -91,6 +91,7 @@ class SFDAQInstance;
 #define PKT_TCP_PSEUDO_EST        0x80000000 // A one-sided or bidirectional without LWS TCP session was detected
 
 #define TS_PKT_OFFLOADED          0x01
+#define TS_PKT_INJECT             0x02
 
 #define PKT_PDU_FULL (PKT_PDU_HEAD | PKT_PDU_TAIL)
 
@@ -327,6 +328,12 @@ struct SO_PUBLIC Packet
     void clear_offloaded()
     { ts_packet_flags &= (~TS_PKT_OFFLOADED); }
 
+    bool is_pkt_injected() const
+    { return (ts_packet_flags & TS_PKT_INJECT) != 0; }
+
+    void set_pkt_injected()
+    { ts_packet_flags |= TS_PKT_INJECT; }
+
     bool has_parent() const
     { return (packet_flags & PKT_HAS_PARENT) != 0; }
 
@@ -383,6 +390,8 @@ struct SO_PUBLIC Packet
     void set_pdu_section(PduSection pdu_sect)
     { sect = pdu_sect; }
 
+    int inject();
+
 private:
     bool allocated;
 };
diff --git a/src/protocols/test/decode_err_len_test.cc b/src/protocols/test/decode_err_len_test.cc
index 53a97b747..8d7548b6f 100644
--- a/src/protocols/test/decode_err_len_test.cc
+++ b/src/protocols/test/decode_err_len_test.cc
@@ -30,6 +30,7 @@
 #include "managers/codec_manager.h"
 #include "packet_io/packet_tracer.h"
 #include "packet_io/sfdaq.h"
+#include "packet_io/sfdaq_instance.h"
 #include "profiler/profiler_defs.h"
 #include "stream/stream.h"
 #include "trace/trace_api.h"
@@ -70,6 +71,7 @@ int layer::get_inner_ip_lyr_index(const Packet* const) { return 0; }
 int layer::get_inner_ip6_frag_index(const Packet* const) { return 0; }
 uint8_t Stream::get_flow_ttl(Flow*, char, bool) { return 0; }
 bool SFDAQ::forwarding_packet(const DAQ_PktHdr_t*) { return false; }
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 void sum_stats(PegCount*, PegCount*, unsigned, bool) {}
 IpsContext::IpsContext(unsigned):
     packet(nullptr), encode_packet(nullptr), pkth (nullptr), buf(nullptr),
diff --git a/src/protocols/test/get_geneve_opt_test.cc b/src/protocols/test/get_geneve_opt_test.cc
index 05093bd62..bc44c3069 100644
--- a/src/protocols/test/get_geneve_opt_test.cc
+++ b/src/protocols/test/get_geneve_opt_test.cc
@@ -23,6 +23,7 @@
 
 #include "flow/expect_flow.h"
 #include "framework/api_options.h"
+#include "packet_io/sfdaq_instance.h"
 #include "protocols/packet.h"
 #include "protocols/packet_manager.h"
 
@@ -37,6 +38,7 @@ const char* PacketManager::get_proto_name(ProtocolId) { return nullptr; }
 const vlan::VlanTagHdr* layer::get_vlan_layer(const Packet*) { return nullptr; }
 const geneve::GeneveLyr* layer::get_geneve_layer(const Packet*, bool) { return nullptr; }
 void ip::IpApi::reset() {}
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 
 uint8_t PacketManager::max_layers = DEFAULT_LAYERMAX;
 
diff --git a/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc b/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc
index ef471ef7e..f57869ce5 100644
--- a/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc
+++ b/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc
@@ -27,6 +27,7 @@
 using namespace Http2Enums;
 #include "../http2_hpack_int_decode.h"
 #include "../http2_varlen_int_decode_impl.h"
+#include "packet_io/sfdaq_instance.h"
 
 #include <CppUTest/CommandLineTestRunner.h>
 #include <CppUTest/TestHarness.h>
@@ -36,6 +37,7 @@ namespace snort
 {
 // Stubs whose sole purpose is to make the test code link
 int DetectionEngine::queue_event(unsigned int, unsigned int) { return 0; }
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 }
 
 
diff --git a/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc b/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc
index e2c390fb7..608b153ff 100644
--- a/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc
+++ b/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc
@@ -32,6 +32,7 @@ using namespace Http2Enums;
 #include "../http2_varlen_string_decode_impl.h"
 #include "../../http_inspect/http_common.h"
 #include "../../http_inspect/http_enum.h"
+#include "packet_io/sfdaq_instance.h"
 
 #include <CppUTest/CommandLineTestRunner.h>
 #include <CppUTest/TestHarness.h>
@@ -41,6 +42,7 @@ namespace snort
 {
 // Stubs whose sole purpose is to make the test code link
 int DetectionEngine::queue_event(unsigned int, unsigned int) { return 0; }
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 }
 
 using namespace HttpCommon;
diff --git a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc
index 642dbb6ec..061597782 100755
--- a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc
+++ b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc
@@ -27,6 +27,7 @@
 #include "log/messages.h"
 
 #include "main/thread_config.h"
+#include "packet_io/sfdaq_instance.h"
 #include "service_inspectors/http_inspect/http_js_norm.h"
 #include "service_inspectors/http_inspect/http_uri_norm.h"
 
@@ -54,6 +55,7 @@ void DecodeConfig::set_decompress_pdf(bool) {}
 void DecodeConfig::set_decompress_swf(bool) {}
 void DecodeConfig::set_decompress_zip(bool) {}
 void DecodeConfig::set_decompress_vba(bool) {}
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 SearchTool::~SearchTool() {}
 unsigned get_instance_id()
 { return 0; }
diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc
index 853e27512..70deb56a3 100644
--- a/src/stream/tcp/tcp_normalizer.cc
+++ b/src/stream/tcp/tcp_normalizer.cc
@@ -121,6 +121,9 @@ bool TcpNormalizer::trim_payload(TcpNormalizerState&, TcpSegmentDescriptor& tsd,
         tsd.set_len(max);
         tsd.set_packet_flags(PKT_RESIZED);
         tsd.set_end_seq(tsd.get_end_seq() - fat);
+        if (stream_tcp_trace_enabled)
+            trace_logf(TRACE_WARNING_LEVEL, stream_tcp_trace, DEFAULT_TRACE_OPTION_ID, \
+                       tsd.get_pkt(), "stream_tcp: Packet resized, length set to %u bytes", max);
         return true;
     }
     return false;
-- 
2.47.2