rust/dns/tcp - probe even if payload is short

As the DNS probe just uses the query portion of a response, don't require there to be as many bytes as specified in the TCP DNS header. This can occur in large responses where probe is called without all the data. Fixes the cases where the app proto is recorded as failed. Fixes issue: https://redmine.openinfosecfoundation.org/issues/2169
8 years ago · 3063851d85
parent 74f4f6dd63
commit 3063851d85
1 changed files with 2 additions and 4 deletions
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@ -545,10 +545,8 @@ fn probe(input: &[u8]) -> bool {
 /// Probe TCP input to see if it looks like DNS.
 pub fn probe_tcp(input: &[u8]) -> bool {
    match nom::be_u16(input) {
-        nom::IResult::Done(rem, len) => {
-            if rem.len() >= len as usize {
-                return probe(rem);
-            }
+        nom::IResult::Done(rem, _) => {
+            return probe(rem);
        },
        _ => {}
    }