From aa986786621d7c722eac822a3fd1ae4f703209b8 Mon Sep 17 00:00:00 2001
From: Jason Ish <ish@unx.ca>
Date: Thu, 13 Sep 2018 13:09:20 -0600
Subject: [PATCH] defrag: remove fragments that have complete overlap

Instead of just marking fragments that have been completely
overlapped and won't be part of the assembled packet, remove
them from the fragment tree when detected.
---
 src/defrag.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/defrag.c b/src/defrag.c
index cb9fee2dce..317e3dcba0 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -298,7 +298,7 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
 
         if (frag->skip)
             continue;
-        if (frag->data_len - frag->ltrim <= 0)
+        if (frag->ltrim >= frag->data_len)
             continue;
         if (frag->offset == 0) {
 
@@ -779,10 +779,23 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker,
             if (next != NULL) {
                 next = IP_FRAGMENTS_RB_NEXT(next);
             }
+            continue;
+
+        insert:
+            /* If existing fragment has been trimmed up completely
+             * (complete overlap), remove it now instead of holding
+             * onto it. */
+            if (prev->skip || prev->ltrim >= prev->data_len) {
+                RB_REMOVE(IP_FRAGMENTS, &tracker->fragment_tree, prev);
+                DefragFragReset(prev);
+                SCMutexLock(&defrag_context->frag_pool_lock);
+                PoolReturn(defrag_context->frag_pool, prev);
+                SCMutexUnlock(&defrag_context->frag_pool_lock);
+            }
+            break;
         }
     }
 
-insert:
     if (ltrim > data_len) {
         /* Full packet has been trimmed due to the overlap policy. Overlap
          * already set. */