From 1ba62993d5fc6ac6fa880bdad835a83e12d6fa49 Mon Sep 17 00:00:00 2001
From: Sascha Steinbiss <satta@debian.org>
Date: Tue, 8 Mar 2022 23:18:36 +0100
Subject: [PATCH] mqtt: raise event on parse error

---
 rules/mqtt-events.rules |  1 +
 rust/src/mqtt/mqtt.rs   | 27 ++++++++++++++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/rules/mqtt-events.rules b/rules/mqtt-events.rules
index 93d830ae0e..57b5821d8b 100644
--- a/rules/mqtt-events.rules
+++ b/rules/mqtt-events.rules
@@ -14,3 +14,4 @@ alert mqtt any any -> any any (msg:"SURICATA MQTT invalid QOS level"; app-layer-
 alert mqtt any any -> any any (msg:"SURICATA MQTT missing message ID"; app-layer-event:mqtt.missing_msg_id; classtype:protocol-command-decode; sid:2229007; rev:1;)
 alert mqtt any any -> any any (msg:"SURICATA MQTT unassigned message type (0 or >15)"; app-layer-event:mqtt.unassigned_msg_type; classtype:protocol-command-decode; sid:2229008; rev:1;)
 alert mqtt any any -> any any (msg:"SURICATA MQTT too many transactions"; app-layer-event:mqtt.too_many_transactions; classtype:protocol-command-decode; sid:2229009; rev:1;)
+alert mqtt any any -> any any (msg:"SURICATA MQTT malformed traffic"; app-layer-event:mqtt.malformed_traffic; classtype:protocol-command-decode; sid:2229010; rev:1;)
diff --git a/rust/src/mqtt/mqtt.rs b/rust/src/mqtt/mqtt.rs
index 8ebde8e041..c4600979a3 100644
--- a/rust/src/mqtt/mqtt.rs
+++ b/rust/src/mqtt/mqtt.rs
@@ -52,6 +52,7 @@ pub enum MQTTEvent {
     MissingMsgId,
     UnassignedMsgType,
     TooManyTransactions,
+    MalformedTraffic,
 }
 
 #[derive(Debug)]
@@ -69,7 +70,13 @@ pub struct MQTTTransaction {
 
 impl MQTTTransaction {
     pub fn new(msg: MQTTMessage) -> MQTTTransaction {
-        let mut m = MQTTTransaction {
+        let mut m = MQTTTransaction::new_empty();
+        m.msg.push(msg);
+        return m;
+    }
+
+    pub fn new_empty() -> MQTTTransaction {
+        return MQTTTransaction {
             tx_id: 0,
             pkt_id: None,
             complete: false,
@@ -79,8 +86,6 @@ impl MQTTTransaction {
             toserver: false,
             tx_data: applayer::AppLayerTxData::new(),
         };
-        m.msg.push(msg);
-        return m;
     }
 }
 
@@ -457,6 +462,7 @@ impl MQTTState {
                         return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
                 }
                 Err(_) => {
+                    self.set_event_notx(MQTTEvent::MalformedTraffic, false);
                     return AppLayerResult::err();
                 }
             }
@@ -514,6 +520,7 @@ impl MQTTState {
                     return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
                 }
                 Err(_) => {
+                    self.set_event_notx(MQTTEvent::MalformedTraffic, true);
                     return AppLayerResult::err();
                 }
             }
@@ -525,6 +532,20 @@ impl MQTTState {
     fn set_event(tx: &mut MQTTTransaction, event: MQTTEvent) {
         tx.tx_data.set_event(event as u8);
     }
+
+    fn set_event_notx(&mut self, event: MQTTEvent, toclient: bool) {
+        let mut tx = MQTTTransaction::new_empty();
+        self.tx_id += 1;
+        tx.tx_id = self.tx_id;
+        if toclient {
+            tx.toclient = true;
+        } else {
+            tx.toserver = true;
+        }
+        tx.complete = true;
+        tx.tx_data.set_event(event as u8);
+        self.transactions.push(tx);
+    }
 }
 
 // C exports.