Make sure a stream that has a failing app layer inspection module no longer stops reassembly, but only app layer inspection. This way we can continue to inspect the reassembled stream.

src/app-layer-parser.c

@@ -794,8 +794,7 @@ int AppLayerParse(Flow *f, uint8_t proto, uint8_t flags, uint8_t *input,
         SCLogDebug("No App Layer Data");
         /* Nothing is there to clean up, so just return from here after setting
          * up the no reassembly flags */
-        StreamTcpSetSessionNoReassemblyFlag(ssn, flags & STREAM_TOCLIENT ? 1 : 0);
-        StreamTcpSetSessionNoReassemblyFlag(ssn, flags & STREAM_TOSERVER ? 1 : 0);
+        StreamTcpSetSessionNoApplayerInspectionFlag(ssn);
         SCReturnInt(-1);
     }
 
@@ -870,10 +869,9 @@ int AppLayerParse(Flow *f, uint8_t proto, uint8_t flags, uint8_t *input,
 
         /* Set the no reassembly flag for both the stream in this TcpSession */
         if (parser_state->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
-            StreamTcpSetSessionNoReassemblyFlag(ssn,
-                                               flags & STREAM_TOCLIENT ? 1 : 0);
-            StreamTcpSetSessionNoReassemblyFlag(ssn,
-                                               flags & STREAM_TOSERVER ? 1 : 0);
+            StreamTcpSetSessionNoReassemblyFlag(ssn, flags & STREAM_TOCLIENT ? 1 : 0);
+            StreamTcpSetSessionNoReassemblyFlag(ssn, flags & STREAM_TOSERVER ? 1 : 0);
+            StreamTcpSetSessionNoApplayerInspectionFlag(ssn);
         }
     }
 
@@ -893,8 +891,7 @@ int AppLayerParse(Flow *f, uint8_t proto, uint8_t flags, uint8_t *input,
 error:
     if (ssn != NULL) {
         /* Set the no reassembly flag for both the stream in this TcpSession */
-        StreamTcpSetSessionNoReassemblyFlag(ssn, flags & STREAM_TOCLIENT ? 1 : 0);
-        StreamTcpSetSessionNoReassemblyFlag(ssn, flags & STREAM_TOSERVER ? 1 : 0);
+        StreamTcpSetSessionNoApplayerInspectionFlag(ssn);
 
         if (f->src.family == AF_INET) {
             char src[16];
@@ -1302,7 +1299,7 @@ static void TestProtocolStateFree(void *s)
  */
 static int AppLayerParserTest01 (void)
 {
-    int result = 1;
+    int result = 0;
     Flow f;
     uint8_t testbuf[] = { 0x11 };
     uint32_t testlen = sizeof(testbuf);
@@ -1344,19 +1341,17 @@ static int AppLayerParserTest01 (void)
     int r = AppLayerParse(&f, ALPROTO_TEST, STREAM_TOSERVER|STREAM_EOF, testbuf,
                           testlen);
     if (r != -1) {
-        printf("returned %" PRId32 ", expected -1: \n", r);
-        result = 0;
+        printf("returned %" PRId32 ", expected -1: ", r);
         goto end;
     }
 
-    if (!(ssn.flags & STREAMTCP_FLAG_NOSERVER_REASSEMBLY) ||
-            !(ssn.flags & STREAMTCP_FLAG_NOCLIENT_REASSEMBLY))
+    if (!(ssn.flags & STREAMTCP_FLAG_NO_APPLAYER_INSPECTION))
     {
-        printf("flags should be set, but they are not !\n");
-        result = 0;
+        printf("flag should have been set, but is not: ");
         goto end;
     }
 
+    result = 1;
 end:
     StreamL7DataPtrFree(&ssn);
     StreamTcpFreeConfig(TRUE);

src/app-layer.c

@@ -124,6 +124,7 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
     if (ssn != NULL) {
         alproto = ssn->alproto;
 
+        if (!(ssn->flags & STREAMTCP_FLAG_NO_APPLAYER_INSPECTION)) {
             /* if we don't know the proto yet and we have received a stream
              * initializer message, we run proto detection.
              * We receive 2 stream init msgs (one for each direction) but we
@@ -179,6 +180,7 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
                     SCLogDebug(" smsg not start, but no l7 data? Weird");
                 }
             }
+        }
 
         /* put the smsg in the stream list */
         if (ssn->smsg_head == NULL) {

src/stream-tcp-private.h

@@ -125,6 +125,12 @@ enum
                                                              reassembly / app layer
                                                              inspection for the
                                                              client stream.*/
+#define STREAMTCP_FLAG_NO_APPLAYER_INSPECTION   0x2000  /**< don't send any more
+                                                             data to the app layer
+                                                             parser, but still
+                                                             reassemble for raw
+                                                             reassembled data
+                                                             inspection */
 
 #define SEGMENTTCP_FLAG_PROCESSED               0x01    /**< Flag to indicate
                                                              that the current

src/stream-tcp-reassemble.h

@@ -69,7 +69,9 @@ void StreamTcpCreateTestPacket(uint8_t *, uint8_t, uint8_t, uint8_t);
 void StreamL7DataPtrInit(TcpSession *);
 void StreamL7DataPtrFree(TcpSession *);
 
+void StreamTcpSetSessionNoApplayerInspectionFlag(TcpSession *);
 void StreamTcpSetSessionNoReassemblyFlag (TcpSession *, char );
+
 void StreamTcpSetOSPolicy(TcpStream *, Packet *);
 void StreamTcpReassemblePause (TcpSession *, char );
 void StreamTcpReassembleUnPause (TcpSession *, char );

src/stream-tcp.c

@@ -2926,13 +2926,21 @@ static int ValidTimestamp (TcpSession *ssn, Packet *p)
  * \param ssn TCP Session to set the flag in
  * \param direction direction to set the flag in: 0 toserver, 1 toclient
  */
-
 void StreamTcpSetSessionNoReassemblyFlag (TcpSession *ssn, char direction)
 {
     direction ? (ssn->flags |= STREAMTCP_FLAG_NOSERVER_REASSEMBLY) :
                 (ssn->flags |= STREAMTCP_FLAG_NOCLIENT_REASSEMBLY);
 }
 
+/** \brief  Set the No applayer inspection flag for the TCP session.
+ *
+ * \param ssn TCP Session to set the flag in
+ */
+void StreamTcpSetSessionNoApplayerInspectionFlag (TcpSession *ssn)
+{
+    ssn->flags |= STREAMTCP_FLAG_NO_APPLAYER_INSPECTION;
+}
+
 #ifdef UNITTESTS
 
 /**