app-layer: fix progress tracking

Esp in combination with GAPs and proto detection.
5 years ago · 9b1f0656d0
parent acef21b759
commit 9b1f0656d0
2 changed files with 19 additions and 3 deletions
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@ -1179,7 +1179,8 @@ void AppLayerParserSetTxDetectFlags(uint8_t ipproto, AppProto alproto, void *tx,
 /***** General *****/

 /** \retval int -1 in case of unrecoverable error. App-layer tracking stops for this flow.
- *  \retval int 0 ok */
+ *  \retval int 0 ok: we did not update app_progress
+ *  \retval int 1 ok: we updated app_progress */
 int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto,
                        uint8_t flags, const uint8_t *input, uint32_t input_len)
 {
@ -1327,9 +1328,10 @@ int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow

 end:
    /* update app progress */
-    if (f->proto == IPPROTO_TCP && f->protoctx != NULL) {
+    if (consumed != input_len && f->proto == IPPROTO_TCP && f->protoctx != NULL) {
        TcpSession *ssn = f->protoctx;
        StreamTcpUpdateAppLayerProgress(ssn, direction, consumed);
+        SCReturnInt(1);
    }

    SCReturnInt(0);
--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -302,6 +302,7 @@ static int TCPProtoDetect(ThreadVars *tv,
 {
    AppProto *alproto;
    AppProto *alproto_otherdir;
+    int direction = (flags & STREAM_TOSERVER) ? 0 : 1;

    if (flags & STREAM_TOSERVER) {
        alproto = &f->alproto_ts;
@ -367,6 +368,7 @@ static int TCPProtoDetect(ThreadVars *tv,
            } else {
                *stream = &ssn->client;
            }
+            direction = 1 - direction;
        }

        /* account flow if we have both sides */
@ -446,8 +448,11 @@ static int TCPProtoDetect(ThreadVars *tv,
        int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
                flags, data, data_len);
        PACKET_PROFILING_APP_END(app_tctx, f->alproto);
-        if (r < 0)
+        if (r < 0) {
            goto failure;
+        } else if (r == 0) {
+            StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
+        }
    } else {
        /* if the ssn is midstream, we may end up with a case where the
         * start of an HTTP request is missing. We won't detect HTTP based
@ -516,6 +521,9 @@ static int TCPProtoDetect(ThreadVars *tv,
                            f->alproto, flags,
                            data, data_len);
                    PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+                    if (r == 0) {
+                        StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
+                    }

                    AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
                            APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
@ -575,6 +583,8 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
        goto end;
    }

+    const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
+
    if (flags & STREAM_TOSERVER) {
        alproto = f->alproto_ts;
    } else {
@ -597,6 +607,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
                flags, data, data_len);
        PACKET_PROFILING_APP_END(app_tctx, f->alproto);
        /* ignore parser result for gap */
+        StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
        goto end;
    }

@ -654,6 +665,9 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
            r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
                                    flags, data, data_len);
            PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+            if (r == 0) {
+                StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
+            }
        }
    }