applayer: keep running detection on protocol change

ie do not stop on first try if we do not have enough data
5 years ago · 82f1758573
parent 21e741795d
commit 82f1758573
1 changed files with 12 additions and 2 deletions
--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -635,10 +635,20 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
        AppLayerParserState *alparser = f->alparser;
        // we delay AppLayerParserStateCleanup because we may need previous parser state
        AppLayerProtoDetectReset(f);
+        StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
+        StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
        /* rerun protocol detection */
        int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
-        FlowUnsetChangeProtoFlag(f);
-        AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
+        if (f->alproto == ALPROTO_UNKNOWN) {
+            // not enough data, revert AppLayerProtoDetectReset to rerun detection
+            f->alparser = alparser;
+            f->alproto = f->alproto_orig;
+            f->alproto_tc = f->alproto_orig;
+            f->alproto_ts = f->alproto_orig;
+        } else {
+            FlowUnsetChangeProtoFlag(f);
+            AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
+        }
        if (rd != 0) {
            SCLogDebug("proto detect failure");
            f->alstate = NULL;