suricata
stream-tcp-list.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /** \file
19  *
20  * Segment list functions for insertions, overlap handling, removal and
21  * more.
22  */
23 
24 #include "suricata-common.h"
25 #include "rust.h"
26 #include "stream-tcp-private.h"
27 #include "stream-tcp.h"
28 #include "stream-tcp-reassemble.h"
29 #include "stream-tcp-inline.h"
30 #include "stream-tcp-list.h"
31 #include "util-streaming-buffer.h"
32 #include "util-print.h"
33 #include "util-validate.h"
34 #include "app-layer-frames.h"
35 
36 static void StreamTcpRemoveSegmentFromStream(TcpStream *stream, TcpSegment *seg);
37 
38 static int check_overlap_different_data = 0;
39 
41 {
42  check_overlap_different_data = 1;
43 }
44 
45 /*
46  * Inserts and overlap handling
47  */
48 
50 
51 int TcpSegmentCompare(struct TcpSegment *a, struct TcpSegment *b)
52 {
53  if (SEQ_GT(a->seq, b->seq))
54  return 1;
55  else if (SEQ_LT(a->seq, b->seq))
56  return -1;
57  else {
58  if (a->payload_len == b->payload_len)
59  return 0;
60  else if (a->payload_len > b->payload_len)
61  return 1;
62  else
63  return -1;
64  }
65 }
66 
67 /** \internal
68  * \brief insert segment data into the streaming buffer
69  * \param seg segment to store stream offset in
70  * \param data segment data after overlap handling (if any)
71  * \param data_len data length
72  *
73  * \return 0 on success
74  * \return -1 on error (memory allocation error)
75  */
76 static inline int InsertSegmentDataCustom(TcpStream *stream, TcpSegment *seg, uint8_t *data, uint16_t data_len)
77 {
78  uint64_t stream_offset;
79  uint32_t data_offset;
80 
81  if (likely(SEQ_GEQ(seg->seq, stream->base_seq))) {
82  stream_offset = STREAM_BASE_OFFSET(stream) + (seg->seq - stream->base_seq);
83  data_offset = 0;
84  } else {
85  /* segment is partly before base_seq */
86  data_offset = stream->base_seq - seg->seq;
88  }
89 
90  SCLogDebug("stream %p buffer %p, stream_offset %"PRIu64", "
91  "data_offset %"PRIu16", SEQ %u BASE %u, data_len %u",
92  stream, &stream->sb, stream_offset,
93  data_offset, seg->seq, stream->base_seq, data_len);
94  DEBUG_VALIDATE_BUG_ON(data_offset > data_len);
95  if (data_len <= data_offset) {
96  SCReturnInt(0);
97  }
98 
99  int ret = StreamingBufferInsertAt(&stream->sb, &stream_config.sbcnf, &seg->sbseg,
100  data + data_offset, data_len - data_offset, stream_offset);
101  if (ret != 0) {
102  /* StreamingBufferInsertAt can return -2 only if the offset is wrong, which should be
103  * impossible in this path. */
104  DEBUG_VALIDATE_BUG_ON(ret != -1);
105  SCReturnInt(-1);
106  }
107 #ifdef DEBUG
108  {
109  const uint8_t *mydata;
110  uint32_t mydata_len;
111  uint64_t mydata_offset;
112  StreamingBufferGetData(&stream->sb, &mydata, &mydata_len, &mydata_offset);
113 
114  SCLogDebug("stream %p seg %p data in buffer %p of len %u and offset %"PRIu64,
115  stream, seg, &stream->sb, mydata_len, mydata_offset);
116  //PrintRawDataFp(stdout, mydata, mydata_len);
117  }
118 #endif
119  SCReturnInt(0);
120 }
121 
122 /** \internal
123  * \brief check if this segments overlaps with an in-tree seg.
124  * \retval true
125  * \retval false
126  */
127 static inline bool CheckOverlap(struct TCPSEG *tree, TcpSegment *seg)
128 {
129  const uint32_t re = SEG_SEQ_RIGHT_EDGE(seg);
130  SCLogDebug("start. SEQ %u payload_len %u. Right edge: %u. Seg %p",
131  seg->seq, seg->payload_len, re, seg);
132 
133  /* check forward */
134  TcpSegment *next = TCPSEG_RB_NEXT(seg);
135  if (next) {
136  // next has same seq, so data must overlap
137  if (SEQ_EQ(next->seq, seg->seq))
138  return true;
139  // our right edge is beyond next seq, overlap
140  if (SEQ_GT(re, next->seq))
141  return true;
142  }
143  /* check backwards */
144  TcpSegment *prev = TCPSEG_RB_PREV(seg);
145  if (prev) {
146  // prev has same seq, so data must overlap
147  if (SEQ_EQ(prev->seq, seg->seq))
148  return true;
149  // prev's right edge is beyond our seq, overlap
150  const uint32_t prev_re = SEG_SEQ_RIGHT_EDGE(prev);
151  if (SEQ_GT(prev_re, seg->seq))
152  return true;
153  }
154 
155  SCLogDebug("no overlap");
156  return false;
157 }
158 
159 /** \internal
160  * \brief insert the segment into the proper place in the tree
161  * don't worry about the data or overlaps
162  *
163  * \retval 2 not inserted, data overlap
164  * \retval 1 inserted with overlap detected
165  * \retval 0 inserted, no overlap
166  * \retval -EINVAL seg out of seq range
167  */
168 static int DoInsertSegment (TcpStream *stream, TcpSegment *seg, TcpSegment **dup_seg, Packet *p)
169 {
170  /* in lossy traffic, we can get here with the wrong sequence numbers */
171  if (SEQ_LEQ(SEG_SEQ_RIGHT_EDGE(seg), stream->base_seq)) {
172  return -EINVAL;
173  }
174 
175  /* fast track */
176  if (RB_EMPTY(&stream->seg_tree)) {
177  SCLogDebug("empty tree, inserting seg %p seq %" PRIu32 ", "
178  "len %" PRIu32 "", seg, seg->seq, TCP_SEG_LEN(seg));
179  TCPSEG_RB_INSERT(&stream->seg_tree, seg);
180  stream->segs_right_edge = SEG_SEQ_RIGHT_EDGE(seg);
181  return 0;
182  }
183 
184  /* insert and then check if there was any overlap with other segments */
185  TcpSegment *res = TCPSEG_RB_INSERT(&stream->seg_tree, seg);
186  if (res) {
187  SCLogDebug("seg has a duplicate in the tree seq %u/%u",
188  res->seq, res->payload_len);
189  /* exact duplicate SEQ + payload_len */
190  *dup_seg = res;
191  return 2; // duplicate has overlap by definition.
192  } else {
193  if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), stream->segs_right_edge))
194  stream->segs_right_edge = SEG_SEQ_RIGHT_EDGE(seg);
195 
196  /* insert succeeded, now check if we overlap with someone */
197  if (CheckOverlap(&stream->seg_tree, seg) == true) {
198  SCLogDebug("seg %u has overlap in the tree", seg->seq);
199  return 1;
200  }
201  }
202  SCLogDebug("seg %u: no overlap", seg->seq);
203  return 0;
204 }
205 
206 /** \internal
207  * \brief handle overlap per list segment
208  *
209  * For a list segment handle the overlap according to the policy.
210  *
211  * The 'buf' parameter points to the memory that will be inserted into
212  * the stream after the overlap checks are complete. As it will
213  * unconditionally overwrite whats in the stream now, the overlap
214  * policies are applied to this buffer. It starts with the 'new' data,
215  * so when the policy states 'old' data has to be used, 'buf' is
216  * updated to contain the 'old' data here.
217  *
218  * \param buf stack allocated buffer sized p->payload_len that will be
219  * inserted into the stream buffer
220  *
221  * \retval 1 if data was different
222  * \retval 0 data was the same or we didn't check for differences
223  */
224 static int DoHandleDataOverlap(TcpStream *stream, const TcpSegment *list,
225  const TcpSegment *seg, uint8_t *buf, Packet *p)
226 {
227  SCLogDebug("handle overlap for segment %p seq %u len %u re %u, "
228  "list segment %p seq %u len %u re %u", seg, seg->seq,
230  list, list->seq, TCP_SEG_LEN(list), SEG_SEQ_RIGHT_EDGE(list));
231 
232  int data_is_different = 0;
233  int use_new_data = 0;
234 
235  if (StreamTcpInlineMode()) {
236  SCLogDebug("inline mode");
237  if (StreamTcpInlineSegmentCompare(stream, p, list) != 0) {
238  SCLogDebug("already accepted data not the same as packet data, rewrite packet");
239  StreamTcpInlineSegmentReplacePacket(stream, p, list);
240  data_is_different = 1;
241 
242  /* in inline mode we check for different data unconditionally,
243  * but setting events still depends on config */
244  if (check_overlap_different_data) {
246  }
247  }
248 
249  /* IDS mode */
250  } else {
251  if (check_overlap_different_data) {
252  if (StreamTcpInlineSegmentCompare(stream, p, list) != 0) {
253  SCLogDebug("data is different from what is in the list");
254  data_is_different = 1;
255  }
256  } else {
257  /* if we're not checking, assume it's different */
258  data_is_different = 1;
259  }
260 
261  /* apply overlap policies */
262 
263  if (stream->os_policy == OS_POLICY_LAST) {
264  /* buf will start with LAST data (from the segment),
265  * so if policy is LAST we're now done here. */
266  return (check_overlap_different_data && data_is_different);
267  }
268 
269  /* start at the same seq */
270  if (SEQ_EQ(seg->seq, list->seq)) {
271  SCLogDebug("seg starts at list segment");
272 
273  if (SEQ_LT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
274  SCLogDebug("seg ends before list end, end overlapped by list");
275  } else {
276  if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
277  SCLogDebug("seg ends beyond list end, list overlapped and more");
278  switch (stream->os_policy) {
279  case OS_POLICY_LINUX:
280  if (data_is_different) {
281  use_new_data = 1;
282  }
283  break;
284  }
285  } else {
286  SCLogDebug("full overlap");
287  }
288 
289  switch (stream->os_policy) {
290  case OS_POLICY_OLD_LINUX:
291  case OS_POLICY_SOLARIS:
292  case OS_POLICY_HPUX11:
293  if (data_is_different) {
294  use_new_data = 1;
295  }
296  break;
297  }
298  }
299 
300  /* new seg starts before list segment */
301  } else if (SEQ_LT(seg->seq, list->seq)) {
302  SCLogDebug("seg starts before list segment");
303 
304  if (SEQ_LT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
305  SCLogDebug("seg ends before list end, end overlapped by list");
306  } else {
307  if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
308  SCLogDebug("seg starts before and fully overlaps list and beyond");
309  } else {
310  SCLogDebug("seg starts before and fully overlaps list");
311  }
312 
313  switch (stream->os_policy) {
314  case OS_POLICY_SOLARIS:
315  case OS_POLICY_HPUX11:
316  if (data_is_different) {
317  use_new_data = 1;
318  }
319  break;
320  }
321  }
322 
323  switch (stream->os_policy) {
324  case OS_POLICY_BSD:
325  case OS_POLICY_HPUX10:
326  case OS_POLICY_IRIX:
327  case OS_POLICY_WINDOWS:
329  case OS_POLICY_OLD_LINUX:
330  case OS_POLICY_LINUX:
331  case OS_POLICY_MACOS:
332  if (data_is_different) {
333  use_new_data = 1;
334  }
335  break;
336  }
337 
338  /* new seg starts after list segment */
339  } else { //if (SEQ_GT(seg->seq, list->seq)) {
340  SCLogDebug("seg starts after list segment");
341 
342  if (SEQ_EQ(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
343  SCLogDebug("seg after and is fully overlapped by list");
344  } else if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
345  SCLogDebug("seg starts after list and ends after list");
346 
347  switch (stream->os_policy) {
348  case OS_POLICY_SOLARIS:
349  case OS_POLICY_HPUX11:
350  if (data_is_different) {
351  use_new_data = 1;
352  }
353  break;
354  }
355  } else {
356  SCLogDebug("seg starts after list and ends before list end");
357 
358  }
359  }
360  }
361 
362  SCLogDebug("data_is_different %s, use_new_data %s",
363  data_is_different ? "yes" : "no",
364  use_new_data ? "yes" : "no");
365 
366  /* if the data is different and we don't want to use the new (seg)
367  * data, we have to update buf with the list data */
368  if (data_is_different && !use_new_data) {
369  /* we need to copy list into seg */
370  uint32_t list_offset = 0;
371  uint32_t seg_offset = 0;
372  uint32_t list_len;
373  uint16_t seg_len = p->payload_len;
374  uint32_t list_seq = list->seq;
375 
376  const uint8_t *list_data;
377  StreamingBufferSegmentGetData(&stream->sb, &list->sbseg, &list_data, &list_len);
378  DEBUG_VALIDATE_BUG_ON(list_len > USHRT_MAX);
379  if (list_data == NULL || list_len == 0 || list_len > USHRT_MAX)
380  return 0;
381 
382  /* if list seg is partially before base_seq, list_len (from stream) and
383  * TCP_SEG_LEN(list) will not be the same */
384  if (SEQ_GEQ(list->seq, stream->base_seq)) {
385  ;
386  } else {
387  list_seq = stream->base_seq;
388  list_len = SEG_SEQ_RIGHT_EDGE(list) - stream->base_seq;
389  }
390 
391  if (SEQ_LT(seg->seq, list_seq)) {
392  seg_offset = list_seq - seg->seq;
393  seg_len -= seg_offset;
394  } else if (SEQ_GT(seg->seq, list_seq)) {
395  list_offset = seg->seq - list_seq;
396  list_len -= list_offset;
397  }
398 
399  if (SEQ_LT(seg->seq + seg_offset + seg_len, list_seq + list_offset + list_len)) {
400  list_len -= (list_seq + list_offset + list_len) - (seg->seq + seg_offset + seg_len);
401  }
402  SCLogDebug("here goes nothing: list %u %u, seg %u %u", list_offset, list_len, seg_offset, seg_len);
403 
404  //PrintRawDataFp(stdout, list_data + list_offset, list_len);
405  //PrintRawDataFp(stdout, buf + seg_offset, seg_len);
406 
407  memcpy(buf + seg_offset, list_data + list_offset, list_len);
408  //PrintRawDataFp(stdout, buf, p->payload_len);
409  }
410  return (check_overlap_different_data && data_is_different);
411 }
412 
413 /** \internal
414  * \brief walk segment tree backwards to see if there are overlaps
415  *
416  * Walk back from the current segment which is already in the tree.
417  * We walk until we can't possibly overlap anymore.
418  */
419 static int DoHandleDataCheckBackwards(TcpStream *stream,
420  TcpSegment *seg, uint8_t *buf, Packet *p)
421 {
422  int retval = 0;
423 
424  SCLogDebug("check tree backwards: insert data for segment %p seq %u len %u re %u",
425  seg, seg->seq, TCP_SEG_LEN(seg), SEG_SEQ_RIGHT_EDGE(seg));
426 
427  /* check backwards */
428  TcpSegment *tree_seg = NULL, *s = seg;
429  RB_FOREACH_REVERSE_FROM(tree_seg, TCPSEG, s) {
430  if (tree_seg == seg)
431  continue;
432 
433  int overlap = 0;
434  if (SEQ_LEQ(SEG_SEQ_RIGHT_EDGE(tree_seg), stream->base_seq)) {
435  // segment entirely before base_seq
436  ;
437  } else if (SEQ_LEQ(tree_seg->seq + tree_seg->payload_len, seg->seq)) {
438  SCLogDebug("list segment too far to the left, no more overlap will be found");
439  break;
440  } else if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(tree_seg), seg->seq)) {
441  overlap = 1;
442  }
443 
444  SCLogDebug("(back) tree seg %u len %u re %u overlap? %s",
445  tree_seg->seq, TCP_SEG_LEN(tree_seg),
446  SEG_SEQ_RIGHT_EDGE(tree_seg), overlap ? "yes" : "no");
447 
448  if (overlap) {
449  retval |= DoHandleDataOverlap(stream, tree_seg, seg, buf, p);
450  }
451  }
452  return retval;
453 }
454 
455 /** \internal
456  * \brief walk segment tree in forward direction to see if there are overlaps
457  *
458  * Walk forward from the current segment which is already in the tree.
459  * We walk until the next segs start with a SEQ beyond our right edge.
460  *
461  * \retval 1 data was different
462  * \retval 0 data was the same
463  */
464 static int DoHandleDataCheckForward(TcpStream *stream,
465  TcpSegment *seg, uint8_t *buf, Packet *p)
466 {
467  int retval = 0;
468 
469  uint32_t seg_re = SEG_SEQ_RIGHT_EDGE(seg);
470 
471  SCLogDebug("check list forward: insert data for segment %p seq %u len %u re %u",
472  seg, seg->seq, TCP_SEG_LEN(seg), seg_re);
473 
474  TcpSegment *tree_seg = NULL, *s = seg;
475  RB_FOREACH_FROM(tree_seg, TCPSEG, s) {
476  if (tree_seg == seg)
477  continue;
478 
479  int overlap = 0;
480  if (SEQ_GT(seg_re, tree_seg->seq))
481  overlap = 1;
482  else if (SEQ_LEQ(seg_re, tree_seg->seq)) {
483  SCLogDebug("tree segment %u too far ahead, "
484  "no more overlaps can happen", tree_seg->seq);
485  break;
486  }
487 
488  SCLogDebug("(fwd) in-tree seg %u len %u re %u overlap? %s",
489  tree_seg->seq, TCP_SEG_LEN(tree_seg),
490  SEG_SEQ_RIGHT_EDGE(tree_seg), overlap ? "yes" : "no");
491 
492  if (overlap) {
493  retval |= DoHandleDataOverlap(stream, tree_seg, seg, buf, p);
494  }
495  }
496  return retval;
497 }
498 
499 /**
500  * \param tree_seg in-tree duplicate of `seg`
501  * \retval res 0 ok, -1 insertion error due to memcap
502  */
503 static int DoHandleData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
504  TcpStream *stream, TcpSegment *seg, TcpSegment *tree_seg, Packet *p)
505 {
506  int result = 0;
507  TcpSegment *handle = seg;
508 
509  SCLogDebug("insert data for segment %p seq %u len %u re %u",
510  seg, seg->seq, TCP_SEG_LEN(seg), SEG_SEQ_RIGHT_EDGE(seg));
511 
512  /* create temporary buffer to contain the data we will insert. Overlap
513  * handling may update it. By using this we don't have to track whether
514  * parts of the data are already inserted or not. */
515  uint8_t buf[p->payload_len];
516  memcpy(buf, p->payload, p->payload_len);
517 
518  /* if tree_seg is set, we have an exact duplicate that we need to check */
519  if (tree_seg) {
520  DoHandleDataOverlap(stream, tree_seg, seg, buf, p);
521  handle = tree_seg;
522  }
523 
524  const bool is_head = !(TCPSEG_RB_PREV(handle));
525  const bool is_tail = !(TCPSEG_RB_NEXT(handle));
526 
527  /* new list head */
528  if (is_head && !is_tail) {
529  result = DoHandleDataCheckForward(stream, handle, buf, p);
530 
531  /* new list tail */
532  } else if (!is_head && is_tail) {
533  result = DoHandleDataCheckBackwards(stream, handle, buf, p);
534 
535  /* middle of the list */
536  } else if (!is_head && !is_tail) {
537  result = DoHandleDataCheckBackwards(stream, handle, buf, p);
538  result |= DoHandleDataCheckForward(stream, handle, buf, p);
539  }
540 
541  /* we had an overlap with different data */
542  if (result) {
545  }
546 
547  /* insert the temp buffer now that we've (possibly) updated
548  * it to account for the overlap policies */
549  int res = InsertSegmentDataCustom(stream, handle, buf, p->payload_len);
550  if (res < 0) {
551  if (res == -1) {
553  }
554  return -1;
555  }
556 
557  return 0;
558 }
559 
560 /** \internal
561  * \brief Add the header data to the segment
562  * \param rp packet to take the headers from. Might differ from `pp` in tunnels.
563  * \param pp packet to take the payload size from.
564  */
565 static void StreamTcpSegmentAddPacketDataDo(TcpSegment *seg, const Packet *rp, const Packet *pp)
566 {
567  if (GET_PKT_DATA(rp) != NULL && GET_PKT_LEN(rp) > pp->payload_len) {
568  seg->pcap_hdr_storage->ts.tv_sec = SCTIME_SECS(rp->ts);
569  seg->pcap_hdr_storage->ts.tv_usec = SCTIME_USECS(rp->ts);
571  /*
572  * pkt_hdr members are initially allocated 64 bytes of memory. Thus,
573  * need to check that this is sufficient and allocate more memory if
574  * not.
575  */
576  if (seg->pcap_hdr_storage->pktlen > seg->pcap_hdr_storage->alloclen) {
577  uint8_t *tmp_pkt_hdr = StreamTcpReassembleRealloc(seg->pcap_hdr_storage->pkt_hdr,
579  if (tmp_pkt_hdr == NULL) {
580  SCLogDebug("Failed to realloc");
581  seg->pcap_hdr_storage->ts.tv_sec = 0;
582  seg->pcap_hdr_storage->ts.tv_usec = 0;
583  seg->pcap_hdr_storage->pktlen = 0;
584  return;
585  } else {
586  seg->pcap_hdr_storage->pkt_hdr = tmp_pkt_hdr;
588  }
589  }
590  memcpy(seg->pcap_hdr_storage->pkt_hdr, GET_PKT_DATA(rp),
591  (size_t)GET_PKT_LEN(rp) - pp->payload_len);
592  } else {
593  seg->pcap_hdr_storage->ts.tv_sec = 0;
594  seg->pcap_hdr_storage->ts.tv_usec = 0;
595  seg->pcap_hdr_storage->pktlen = 0;
596  }
597 }
598 
599 /**
600  * \brief Adds the following information to the TcpSegment from the current
601  * packet being processed: time values, packet length, and the
602  * header data of the packet. This information is added to the TcpSegment so
603  * that it can be used in pcap capturing (log-pcap-stream) to dump the tcp
604  * session at the beginning of the pcap capture.
605  * \param seg TcpSegment where information is being stored.
606  * \param p Packet being processed.
607  * \param tv Thread-specific variables.
608  * \param ra_ctx TcpReassembly thread-specific variables
609  */
610 static void StreamTcpSegmentAddPacketData(
612 {
613  if (seg->pcap_hdr_storage == NULL || seg->pcap_hdr_storage->pkt_hdr == NULL) {
614  return;
615  }
616 
617  if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
618  Packet *rp = p->root;
619  StreamTcpSegmentAddPacketDataDo(seg, rp, p);
620  } else {
621  StreamTcpSegmentAddPacketDataDo(seg, p, p);
622  }
623 }
624 
625 /**
626  * \return 0 ok
627  * \return -1 segment not inserted due to memcap issue
628  *
629  * \param seg segment, this function takes total ownership
630  *
631  * In case of error, this function returns the segment to the pool
632  */
634  TcpStream *stream, TcpSegment *seg, Packet *p,
635  uint32_t pkt_seq, uint8_t *pkt_data, uint16_t pkt_datalen)
636 {
637  SCEnter();
638 
639  TcpSegment *dup_seg = NULL;
640 
641  /* insert segment into list. Note: doesn't handle the data */
642  int r = DoInsertSegment (stream, seg, &dup_seg, p);
643 
645  StreamTcpSegmentAddPacketData(seg, p, tv, ra_ctx);
646  }
647 
648  if (likely(r == 0)) {
649  /* no overlap, straight data insert */
650  int res = InsertSegmentDataCustom(stream, seg, pkt_data, pkt_datalen);
651  if (res < 0) {
652  if (res == -1) {
654  }
656  StreamTcpRemoveSegmentFromStream(stream, seg);
658  if (res == -1) {
659  SCReturnInt(-ENOMEM);
660  }
661  SCReturnInt(-1);
662  }
663 
664  } else if (r == 1 || r == 2) {
665  SCLogDebug("overlap (%s%s)", r == 1 ? "normal" : "", r == 2 ? "duplicate" : "");
666 
667  if (r == 2) {
668  SCLogDebug("dup_seg %p", dup_seg);
669  }
670 
671  /* XXX should we exclude 'retransmissions' here? */
673 
674  /* now let's consider the data in the overlap case */
675  int res = DoHandleData(tv, ra_ctx, stream, seg, dup_seg, p);
676  if (res < 0) {
678 
679  if (r == 1) // r == 2 mean seg wasn't added to stream
680  StreamTcpRemoveSegmentFromStream(stream, seg);
681 
683  SCReturnInt(-1);
684  }
685  if (r == 2) {
686  SCLogDebug("duplicate segment %u/%u, discard it",
687  seg->seq, seg->payload_len);
688 
690 #ifdef DEBUG
691  if (SCLogDebugEnabled()) {
692  TcpSegment *s = NULL, *safe = NULL;
693  RB_FOREACH_SAFE(s, TCPSEG, &stream->seg_tree, safe)
694  {
695  SCLogDebug("tree: seg %p, SEQ %"PRIu32", LEN %"PRIu16", SUM %"PRIu32"%s%s%s",
696  s, s->seq, TCP_SEG_LEN(s),
697  (uint32_t)(s->seq + TCP_SEG_LEN(s)),
698  s->seq == seg->seq ? " DUPLICATE" : "",
699  TCPSEG_RB_PREV(s) == NULL ? " HEAD" : "",
700  TCPSEG_RB_NEXT(s) == NULL ? " TAIL" : "");
701  }
702  }
703 #endif
704  }
705  } else {
706  // EINVAL
708  }
709 
710  SCReturnInt(0);
711 }
712 
713 
714 /*
715  * Pruning & removal
716  */
717 
718 
719 static inline bool SegmentInUse(const TcpStream *stream, const TcpSegment *seg)
720 {
721  /* if proto detect isn't done, we're not returning */
722  if (!(stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
724  SCReturnInt(true);
725  }
726  }
727 
728  SCReturnInt(false);
729 }
730 
731 
732 /** \internal
733  * \brief check if we can remove a segment from our segment list
734  *
735  * \retval true
736  * \retval false
737  */
738 static inline bool StreamTcpReturnSegmentCheck(const TcpStream *stream, const TcpSegment *seg)
739 {
740  if (SegmentInUse(stream, seg)) {
741  SCReturnInt(false);
742  }
743 
744  if (!(StreamingBufferSegmentIsBeforeWindow(&stream->sb, &seg->sbseg))) {
745  SCReturnInt(false);
746  }
747 
748  SCReturnInt(true);
749 }
750 
751 static inline uint64_t GetLeftEdgeForApp(Flow *f, TcpSession *ssn, TcpStream *stream)
752 {
753  const FramesContainer *frames_container = AppLayerFramesGetContainer(f);
754  if (frames_container == NULL)
755  return STREAM_APP_PROGRESS(stream);
756 
757  const Frames *frames =
758  stream == &ssn->client ? &frames_container->toserver : &frames_container->toclient;
759  // const uint64_t x = FramesLeftEdge(stream, frames);
760  // BUG_ON(x != (frames->left_edge_rel + STREAM_BASE_OFFSET(stream)));
761  // return x;
762  const uint64_t o = (uint64_t)frames->left_edge_rel + STREAM_BASE_OFFSET(stream);
763  SCLogDebug(
764  "%s: frames left edge: %" PRIu64, &ssn->client == stream ? "toserver" : "toclient", o);
765  return o;
766 }
767 
768 static inline uint64_t GetLeftEdge(Flow *f, TcpSession *ssn, TcpStream *stream)
769 {
770  uint64_t left_edge = 0;
771  const bool use_app = !(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
772  const bool use_raw = !(stream->flags & STREAMTCP_STREAM_FLAG_DISABLE_RAW);
773  const bool use_log = stream_config.streaming_log_api;
774  SCLogDebug("use_app %d use_raw %d use_log %d tcp win %u", use_app, use_raw, use_log,
775  stream->window);
776 
777  if (use_raw) {
778  uint64_t raw_progress = STREAM_RAW_PROGRESS(stream);
779 
780  if (StreamTcpInlineMode() == TRUE) {
781  uint32_t chunk_size = (stream == &ssn->client) ?
784  if (raw_progress < (uint64_t)chunk_size) {
785  raw_progress = 0;
786  } else {
787  raw_progress -= (uint64_t)chunk_size;
788  }
789  }
790 
791  /* apply min inspect depth: if it is set we need to keep data
792  * before the raw progress. */
793  if (use_app && stream->min_inspect_depth && ssn->state < TCP_CLOSED) {
794  if (raw_progress < stream->min_inspect_depth)
795  raw_progress = 0;
796  else
797  raw_progress -= stream->min_inspect_depth;
798 
799  SCLogDebug("stream->min_inspect_depth %u, raw_progress %"PRIu64,
800  stream->min_inspect_depth, raw_progress);
801  }
802 
803  if (use_app) {
804  const uint64_t app_le = GetLeftEdgeForApp(f, ssn, stream);
805  left_edge = MIN(app_le, raw_progress);
806  SCLogDebug("left_edge %" PRIu64 ", using both app:%" PRIu64 ", raw:%" PRIu64, left_edge,
807  app_le, raw_progress);
808  } else {
809  left_edge = raw_progress;
810  SCLogDebug("left_edge %"PRIu64", using only raw:%"PRIu64,
811  left_edge, raw_progress);
812  }
813  } else if (use_app) {
814  const uint64_t app_le = GetLeftEdgeForApp(f, ssn, stream);
815  left_edge = app_le;
816  SCLogDebug("left_edge %" PRIu64 ", using only app:%" PRIu64, left_edge, app_le);
817  } else {
818  left_edge = StreamingBufferGetConsecutiveDataRightEdge(&stream->sb);
819  SCLogDebug("no app & raw: left_edge %"PRIu64" (full stream)", left_edge);
820  }
821 
822  if (use_log) {
823  if (use_app || use_raw) {
824  left_edge = MIN(left_edge, STREAM_LOG_PROGRESS(stream));
825  } else {
826  left_edge = STREAM_LOG_PROGRESS(stream);
827  }
828  }
829 
830  uint64_t last_ack_abs = STREAM_BASE_OFFSET(stream);
831  if (STREAM_LASTACK_GT_BASESEQ(stream)) {
832  last_ack_abs += (stream->last_ack - stream->base_seq);
833  }
834  /* in IDS mode we shouldn't see the base_seq pass last_ack */
835  DEBUG_VALIDATE_BUG_ON(last_ack_abs < left_edge && StreamTcpInlineMode() == FALSE && !f->ffr &&
836  ssn->state < TCP_CLOSED);
837  left_edge = MIN(left_edge, last_ack_abs);
838 
839  /* if we're told to look for overlaps with different data we should
840  * consider data that is ack'd as well. Injected packets may have
841  * been ack'd or injected packet may be too late. */
842  if (StreamTcpInlineMode() == FALSE && check_overlap_different_data) {
843  const uint32_t window = stream->window ? stream->window : 4096;
844  if (window < left_edge)
845  left_edge -= window;
846  else
847  left_edge = 0;
848 
849  SCLogDebug("stream:%p left_edge %"PRIu64, stream, left_edge);
850  }
851 
852  if (left_edge > 0) {
853  /* we know left edge based on the progress values now,
854  * lets adjust it to make sure in-use segments still have
855  * data */
856  TcpSegment *seg = NULL;
857  RB_FOREACH(seg, TCPSEG, &stream->seg_tree) {
858  if (TCP_SEG_OFFSET(seg) > left_edge) {
859  SCLogDebug("seg beyond left_edge, we're done");
860  break;
861  }
862 
863  if (SegmentInUse(stream, seg)) {
864  left_edge = TCP_SEG_OFFSET(seg);
865  SCLogDebug("in-use seg before left_edge, adjust to %"PRIu64" and bail", left_edge);
866  break;
867  }
868  }
869  }
870 
871  return left_edge;
872 }
873 
874 static void StreamTcpRemoveSegmentFromStream(TcpStream *stream, TcpSegment *seg)
875 {
876  RB_REMOVE(TCPSEG, &stream->seg_tree, seg);
877 }
878 
879 /** \brief Remove idle TcpSegments from TcpSession
880  *
881  * Checks app progress and raw progress and progresses them
882  * if needed, slides the streaming buffer, then gets rid of
883  * excess segments.
884  *
885  * \param f flow
886  * \param flags direction flags
887  */
889 {
890  SCEnter();
891 
892  if (f == NULL || f->protoctx == NULL) {
893  SCReturn;
894  }
895 
896  TcpSession *ssn = f->protoctx;
897  TcpStream *stream = NULL;
898 
899  if (flags & STREAM_TOSERVER) {
900  stream = &ssn->client;
901  } else if (flags & STREAM_TOCLIENT) {
902  stream = &ssn->server;
903  } else {
904  SCReturn;
905  }
906 
908  return;
909  }
910 
913  SCLogDebug("ssn %p / stream %p: reassembly depth reached, "
914  "STREAMTCP_STREAM_FLAG_NOREASSEMBLY set", ssn, stream);
917  return;
918 
919  } else if ((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) &&
921  SCLogDebug("ssn %p / stream %p: both app and raw are done, "
922  "STREAMTCP_STREAM_FLAG_NOREASSEMBLY set", ssn, stream);
926  return;
927  }
928 
929  const uint64_t left_edge = GetLeftEdge(f, ssn, stream);
930  SCLogDebug("buffer left_edge %" PRIu64, left_edge);
931  if (left_edge && left_edge > STREAM_BASE_OFFSET(stream)) {
932  uint32_t slide = left_edge - STREAM_BASE_OFFSET(stream);
933  SCLogDebug("buffer sliding %u to offset %"PRIu64, slide, left_edge);
934 
936  AppLayerFramesSlide(f, slide, flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
937  }
938  StreamingBufferSlideToOffset(&stream->sb, &stream_config.sbcnf, left_edge);
939  stream->base_seq += slide;
940 
941  if (slide <= stream->app_progress_rel) {
942  stream->app_progress_rel -= slide;
943  } else {
944  stream->app_progress_rel = 0;
945  }
946  if (slide <= stream->raw_progress_rel) {
947  stream->raw_progress_rel -= slide;
948  } else {
949  stream->raw_progress_rel = 0;
950  }
951  if (slide <= stream->log_progress_rel) {
952  stream->log_progress_rel -= slide;
953  } else {
954  stream->log_progress_rel = 0;
955  }
956 
957  SCLogDebug("stream base_seq %u at stream offset %"PRIu64,
958  stream->base_seq, STREAM_BASE_OFFSET(stream));
959  }
960 
961  /* loop through the segments and remove all not in use */
962  TcpSegment *seg = NULL, *safe = NULL;
963  RB_FOREACH_SAFE(seg, TCPSEG, &stream->seg_tree, safe)
964  {
965  SCLogDebug("seg %p, SEQ %"PRIu32", LEN %"PRIu16", SUM %"PRIu32,
966  seg, seg->seq, TCP_SEG_LEN(seg),
967  (uint32_t)(seg->seq + TCP_SEG_LEN(seg)));
968 
969  if (StreamTcpReturnSegmentCheck(stream, seg) == 0) {
970  SCLogDebug("not removing segment");
971  break;
972  }
973 
974  StreamTcpRemoveSegmentFromStream(stream, seg);
976  SCLogDebug("removed segment");
977  continue;
978  }
979 
980  SCReturn;
981 }
982 
983 
984 /*
985  * unittests
986  */
987 
988 #ifdef UNITTESTS
989 #include "tests/stream-tcp-list.c"
990 #endif
StreamTcpSetEvent
#define StreamTcpSetEvent(p, e)
Definition: stream-tcp-private.h:269
StreamingBufferSlideToOffset
void StreamingBufferSlideToOffset(StreamingBuffer *sb, const StreamingBufferConfig *cfg, uint64_t offset)
slide to absolute offset
Definition: util-streaming-buffer.c:779
TcpStream_
Definition: stream-tcp-private.h:106
RB_GENERATE
RB_GENERATE(TCPSEG, TcpSegment, rb, TcpSegmentCompare)
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
StreamTcpSegmentReturntoPool
void StreamTcpSegmentReturntoPool(TcpSegment *seg)
Function to return the segment back to the pool.
Definition: stream-tcp-reassemble.c:373
IsTcpSessionDumpingEnabled
bool IsTcpSessionDumpingEnabled(void)
Definition: stream-tcp-reassemble.c:89
TCP_SEG_LEN
#define TCP_SEG_LEN(seg)
Definition: stream-tcp-private.h:94
stream-tcp-inline.h
stream-tcp.h
RB_REMOVE
#define RB_REMOVE(name, x, y)
Definition: tree.h:773
OS_POLICY_IRIX
@ OS_POLICY_IRIX
Definition: stream-tcp-reassemble.h:44
StreamTcpReassembleInsertSegment
int StreamTcpReassembleInsertSegment(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, TcpSegment *seg, Packet *p, uint32_t pkt_seq, uint8_t *pkt_data, uint16_t pkt_datalen)
Definition: stream-tcp-list.c:633
TcpStream_::seg_tree
struct TCPSEG seg_tree
Definition: stream-tcp-private.h:135
TcpStream_::log_progress_rel
uint32_t log_progress_rel
Definition: stream-tcp-private.h:128
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
Packet_::payload
uint8_t * payload
Definition: decode.h:573
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6850
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
TcpStream_::os_policy
uint8_t os_policy
Definition: stream-tcp-private.h:110
Flow_
Flow data structure.
Definition: flow.h:357
TcpSegment::sbseg
StreamingBufferSegment sbseg
Definition: stream-tcp-private.h:77
StreamTcpReassembleConfigEnableOverlapCheck
void StreamTcpReassembleConfigEnableOverlapCheck(void)
Definition: stream-tcp-list.c:40
IS_TUNNEL_ROOT_PKT
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:800
TcpStreamCnf_::sbcnf
StreamingBufferConfig sbcnf
Definition: stream-tcp.h:76
OS_POLICY_BSD
@ OS_POLICY_BSD
Definition: stream-tcp-reassemble.h:36
StreamingBufferGetData
int StreamingBufferGetData(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t *stream_offset)
Definition: util-streaming-buffer.c:1594
StreamTcpInlineSegmentReplacePacket
void StreamTcpInlineSegmentReplacePacket(const TcpStream *stream, Packet *p, const TcpSegment *seg)
Replace (part of) the payload portion of a packet by the data in a TCP segment.
Definition: stream-tcp-inline.c:120
rust.h
TcpReassemblyThreadCtx_::counter_tcp_reass_overlap
uint16_t counter_tcp_reass_overlap
Definition: stream-tcp-reassemble.h:76
MIN
#define MIN(x, y)
Definition: suricata-common.h:380
Frames
Definition: app-layer-frames.h:60
FramesContainer
Definition: app-layer-frames.h:73
stream-tcp-reassemble.h
TcpSegment::seq
uint32_t seq
Definition: stream-tcp-private.h:75
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
TcpReassemblyThreadCtx_::counter_tcp_reass_overlap_diff_data
uint16_t counter_tcp_reass_overlap_diff_data
Definition: stream-tcp-reassemble.h:78
TcpStreamCnf_::streaming_log_api
bool streaming_log_api
Definition: stream-tcp.h:61
Frames::left_edge_rel
uint32_t left_edge_rel
Definition: app-layer-frames.h:63
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:115
Flow_::protoctx
void * protoctx
Definition: flow.h:447
STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
@ STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
Definition: decode-events.h:293
stream_offset
uint64_t stream_offset
Definition: util-streaming-buffer.h:1
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
STREAMTCP_STREAM_FLAG_DEPTH_REACHED
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Definition: stream-tcp-private.h:222
TcpSegmentPcapHdrStorage_::pktlen
uint32_t pktlen
Definition: stream-tcp-private.h:67
STREAM_LOG_PROGRESS
#define STREAM_LOG_PROGRESS(stream)
Definition: stream-tcp-private.h:146
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:291
TCP_SEG_OFFSET
#define TCP_SEG_OFFSET(seg)
Definition: stream-tcp-private.h:95
TcpReassemblyThreadCtx_::counter_tcp_reass_data_normal_fail
uint16_t counter_tcp_reass_data_normal_fail
Definition: stream-tcp-reassemble.h:80
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:115
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
RB_EMPTY
#define RB_EMPTY(head)
Definition: tree.h:327
StreamTcpReassembleRealloc
void * StreamTcpReassembleRealloc(void *optr, size_t orig_size, size_t size)
Definition: stream-tcp-reassemble.c:223
StreamingBufferSegmentIsBeforeWindow
int StreamingBufferSegmentIsBeforeWindow(const StreamingBuffer *sb, const StreamingBufferSegment *seg)
Definition: util-streaming-buffer.c:1436
Packet_::ts
SCTime_t ts
Definition: decode.h:471
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:143
TcpStream_::min_inspect_depth
uint32_t min_inspect_depth
Definition: stream-tcp-private.h:130
TcpSegmentCompare
int TcpSegmentCompare(struct TcpSegment *a, struct TcpSegment *b)
compare function for the Segment tree
Definition: stream-tcp-list.c:51
util-print.h
RB_FOREACH_SAFE
#define RB_FOREACH_SAFE(x, name, head, y)
Definition: tree.h:791
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:219
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StreamingBufferClear
void StreamingBufferClear(StreamingBuffer *sb, const StreamingBufferConfig *cfg)
Definition: util-streaming-buffer.c:156
OS_POLICY_HPUX11
@ OS_POLICY_HPUX11
Definition: stream-tcp-reassemble.h:43
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:284
TcpStream_::segs_right_edge
uint32_t segs_right_edge
Definition: stream-tcp-private.h:136
AppLayerFramesSlide
void AppLayerFramesSlide(Flow *f, const uint32_t slide, const uint8_t direction)
Definition: app-layer-frames.c:361
stream-tcp-list.h
OS_POLICY_MACOS
@ OS_POLICY_MACOS
Definition: stream-tcp-reassemble.h:45
StreamTcpPruneSession
void StreamTcpPruneSession(Flow *f, uint8_t flags)
Remove idle TcpSegments from TcpSession.
Definition: stream-tcp-list.c:888
TRUE
#define TRUE
Definition: suricata-common.h:33
RB_FOREACH
#define RB_FOREACH(x, name, head)
Definition: tree.h:781
FALSE
#define FALSE
Definition: suricata-common.h:34
SCReturn
#define SCReturn
Definition: util-debug.h:273
TcpSegment
Definition: stream-tcp-private.h:72
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:300
Packet_
Definition: decode.h:428
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:183
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:218
stream-tcp-private.h
OS_POLICY_HPUX10
@ OS_POLICY_HPUX10
Definition: stream-tcp-reassemble.h:42
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
SEG_SEQ_RIGHT_EDGE
#define SEG_SEQ_RIGHT_EDGE(seg)
Definition: stream-tcp-private.h:97
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:797
StreamTcpReturnStreamSegments
void StreamTcpReturnStreamSegments(TcpStream *stream)
return all segments in this stream into the pool(s)
Definition: stream-tcp-reassemble.c:390
TcpSegment::payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:74
OS_POLICY_SOLARIS
@ OS_POLICY_SOLARIS
Definition: stream-tcp-reassemble.h:41
TcpStream_::raw_progress_rel
uint32_t raw_progress_rel
Definition: stream-tcp-private.h:127
stream-tcp-list.c
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:161
Flow_::ffr
uint8_t ffr
Definition: flow.h:391
app-layer-frames.h
SEQ_GEQ
#define SEQ_GEQ(a, b)
Definition: stream-tcp-private.h:259
OS_POLICY_LAST
@ OS_POLICY_LAST
Definition: stream-tcp-reassemble.h:50
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SEQ_GT
#define SEQ_GT(a, b)
Definition: stream-tcp-private.h:258
util-streaming-buffer.h
TcpSegmentPcapHdrStorage_::ts
struct timeval ts
Definition: stream-tcp-private.h:66
TcpStream_::base_seq
uint32_t base_seq
Definition: stream-tcp-private.h:124
TcpStream_::sb
StreamingBuffer sb
Definition: stream-tcp-private.h:134
TcpSegmentPcapHdrStorage_::alloclen
uint32_t alloclen
Definition: stream-tcp-private.h:68
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
OS_POLICY_OLD_LINUX
@ OS_POLICY_OLD_LINUX
Definition: stream-tcp-reassemble.h:38
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:294
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
TcpStreamCnf_::reassembly_toclient_chunk_size
uint16_t reassembly_toclient_chunk_size
Definition: stream-tcp.h:67
util-validate.h
OS_POLICY_WINDOWS
@ OS_POLICY_WINDOWS
Definition: stream-tcp-reassemble.h:46
StreamTcpInlineSegmentCompare
int StreamTcpInlineSegmentCompare(const TcpStream *stream, const Packet *p, const TcpSegment *seg)
Compare the shared data portion of two segments.
Definition: stream-tcp-inline.c:49
Packet_::root
struct Packet_ * root
Definition: decode.h:618
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:293
TcpSegmentPcapHdrStorage_::pkt_hdr
uint8_t * pkt_hdr
Definition: stream-tcp-private.h:69
StreamingBufferInsertAt
int StreamingBufferInsertAt(StreamingBuffer *sb, const StreamingBufferConfig *cfg, StreamingBufferSegment *seg, const uint8_t *data, uint32_t data_len, uint64_t offset)
Definition: util-streaming-buffer.c:1323
TcpSegment::pcap_hdr_storage
TcpSegmentPcapHdrStorage * pcap_hdr_storage
Definition: stream-tcp-private.h:78
SEQ_LT
#define SEQ_LT(a, b)
Definition: stream-tcp-private.h:256
TcpStream_::app_progress_rel
uint32_t app_progress_rel
Definition: stream-tcp-private.h:126
TcpReassemblyThreadCtx_::counter_tcp_reass_data_overlap_fail
uint16_t counter_tcp_reass_data_overlap_fail
Definition: stream-tcp-reassemble.h:81
SEQ_EQ
#define SEQ_EQ(a, b)
Definition: stream-tcp-private.h:255
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:59
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:200
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:218
SEQ_LEQ
#define SEQ_LEQ(a, b)
Definition: stream-tcp-private.h:257
OS_POLICY_WINDOWS2K3
@ OS_POLICY_WINDOWS2K3
Definition: stream-tcp-reassemble.h:48
RB_FOREACH_REVERSE_FROM
#define RB_FOREACH_REVERSE_FROM(x, name, y)
Definition: tree.h:801
STREAMTCP_STREAM_FLAG_DISABLE_RAW
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
Definition: stream-tcp-private.h:237
likely
#define likely(expr)
Definition: util-optimize.h:32
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:144
TcpSession_
Definition: stream-tcp-private.h:282
RB_FOREACH_FROM
#define RB_FOREACH_FROM(x, name, y)
Definition: tree.h:786
StreamingBufferSegmentGetData
void StreamingBufferSegmentGetData(const StreamingBuffer *sb, const StreamingBufferSegment *seg, const uint8_t **data, uint32_t *data_len)
Definition: util-streaming-buffer.c:1544
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
OS_POLICY_LINUX
@ OS_POLICY_LINUX
Definition: stream-tcp-reassemble.h:39
TcpReassemblyThreadCtx_::counter_tcp_segment_memcap
uint16_t counter_tcp_segment_memcap
Definition: stream-tcp-reassemble.h:65
SCLogDebugEnabled
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:771
TcpStreamCnf_::reassembly_toserver_chunk_size
uint16_t reassembly_toserver_chunk_size
Definition: stream-tcp.h:66
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAM_RAW_PROGRESS
#define STREAM_RAW_PROGRESS(stream)
Definition: stream-tcp-private.h:145
SCTIME_USECS
#define SCTIME_USECS(t)
Definition: util-time.h:56