From 2e6014b15cc492cc15b65feac7daabc62d0f443d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 21 Jun 2018 14:31:14 +0200
Subject: [PATCH] rust/smb: search for record on midstream start

Calls with both START and MIDSTREAM mean the record might be cut and the
start of it could be missing. For this case, enable the same logic as is
used when catching up after a GAP. Search for the start of the record
instead of assuming it sits exactly at the start of the input data.
---
 rust/src/smb/smb.rs          | 16 ++++++++++++++--
 src/app-layer-smb-tcp-rust.c |  4 ++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index 9f55bf358a..2e96e448e7 100644
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -1720,12 +1720,18 @@ pub extern "C" fn rs_smb_parse_request_tcp(_flow: *mut Flow,
                                        _pstate: *mut libc::c_void,
                                        input: *mut libc::uint8_t,
                                        input_len: libc::uint32_t,
-                                       _data: *mut libc::c_void)
+                                       _data: *mut libc::c_void,
+                                       flags: u8)
                                        -> libc::int8_t
 {
     let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};
     SCLogDebug!("parsing {} bytes of request data", input_len);
 
+    /* START with MISTREAM set: record might be starting the middle. */
+    if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) {
+        state.ts_gap = true;
+    }
+
     if state.parse_tcp_data_ts(buf) == 0 {
         return 1;
     } else {
@@ -1752,12 +1758,18 @@ pub extern "C" fn rs_smb_parse_response_tcp(_flow: *mut Flow,
                                         _pstate: *mut libc::c_void,
                                         input: *mut libc::uint8_t,
                                         input_len: libc::uint32_t,
-                                        _data: *mut libc::c_void)
+                                        _data: *mut libc::c_void,
+                                        flags: u8)
                                         -> libc::int8_t
 {
     SCLogDebug!("parsing {} bytes of response data", input_len);
     let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};
 
+    /* START with MISTREAM set: record might be starting the middle. */
+    if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) {
+        state.tc_gap = true;
+    }
+
     if state.parse_tcp_data_tc(buf) == 0 {
         return 1;
     } else {
diff --git a/src/app-layer-smb-tcp-rust.c b/src/app-layer-smb-tcp-rust.c
index e8df01cdb8..634e90dc2a 100644
--- a/src/app-layer-smb-tcp-rust.c
+++ b/src/app-layer-smb-tcp-rust.c
@@ -45,7 +45,7 @@ static int RustSMBTCPParseRequest(Flow *f, void *state,
         res = rs_smb_parse_request_tcp_gap(state, input_len);
     } else {
         res = rs_smb_parse_request_tcp(f, state, pstate, input, input_len,
-            local_data);
+            local_data, flags);
     }
     if (res != 1) {
         SCLogNotice("SMB request%s of %u bytes, retval %d",
@@ -68,7 +68,7 @@ static int RustSMBTCPParseResponse(Flow *f, void *state,
         res = rs_smb_parse_response_tcp_gap(state, input_len);
     } else {
         res = rs_smb_parse_response_tcp(f, state, pstate, input, input_len,
-            local_data);
+            local_data, flags);
     }
     if (res != 1) {
         SCLogNotice("SMB response%s of %u bytes, retval %d",