From 30be9f0b5d5870a7e65e6ea429aed3d5b4ca1f4b Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 12 Jun 2017 07:04:56 -0600 Subject: [PATCH] stream: don't do protocol detection on gap A gap notification has no data. Also, break out the gap handling into its own code block to simplify the conditional statements. --- src/app-layer.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/app-layer.c b/src/app-layer.c index 667363cd02..98a12ed94c 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -548,15 +548,26 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, alproto = f->alproto_tc; } + /* If a gap notification, relay the notification on to the + * app-layer if known. */ + if (flags & STREAM_GAP) { + if (alproto == ALPROTO_UNKNOWN) { + StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream); + SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f); + } else { + PACKET_PROFILING_APP_START(app_tctx, f->alproto); + r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto, + flags, data, data_len); + PACKET_PROFILING_APP_END(app_tctx, f->alproto); + } + goto end; + } + /* if we don't know the proto yet and we have received a stream * initializer message, we run proto detection. * We receive 2 stream init msgs (one for each direction) but we * only run the proto detection once. */ - if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_GAP)) { - StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream); - SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f); - - } else if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) { + if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) { /* run protocol detection */ if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags) != 0) {