suricata
stream-tcp-list.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /** \file
19  *
20  * Segment list functions for insertions, overlap handling, removal and
21  * more.
22  */
23 
24 #include "suricata-common.h"
25 #include "rust.h"
26 #include "stream-tcp-private.h"
27 #include "stream-tcp.h"
28 #include "stream-tcp-reassemble.h"
29 #include "stream-tcp-inline.h"
30 #include "stream-tcp-list.h"
31 #include "util-streaming-buffer.h"
32 #include "util-print.h"
33 #include "util-validate.h"
34 #include "app-layer-frames.h"
35 
36 static void StreamTcpRemoveSegmentFromStream(TcpStream *stream, TcpSegment *seg);
37 
38 static int check_overlap_different_data = 0;
39 
41 {
42  check_overlap_different_data = 1;
43 }
44 
45 /*
46  * Inserts and overlap handling
47  */
48 
50 
51 int TcpSegmentCompare(struct TcpSegment *a, struct TcpSegment *b)
52 {
53  if (SEQ_GT(a->seq, b->seq))
54  return 1;
55  else if (SEQ_LT(a->seq, b->seq))
56  return -1;
57  else {
58  if (a->payload_len == b->payload_len)
59  return 0;
60  else if (a->payload_len > b->payload_len)
61  return 1;
62  else
63  return -1;
64  }
65 }
66 
67 /** \internal
68  * \brief insert segment data into the streaming buffer
69  * \param seg segment to store stream offset in
70  * \param data segment data after overlap handling (if any)
71  * \param data_len data length
72  *
73  * \return 0 on success
74  * \return -1 on error (memory allocation error)
75  */
76 static inline int InsertSegmentDataCustom(TcpStream *stream, TcpSegment *seg, uint8_t *data, uint16_t data_len)
77 {
78  uint64_t stream_offset;
79  uint32_t data_offset;
80 
81  if (likely(SEQ_GEQ(seg->seq, stream->base_seq))) {
82  stream_offset = STREAM_BASE_OFFSET(stream) + (seg->seq - stream->base_seq);
83  data_offset = 0;
84  } else {
85  /* segment is partly before base_seq */
86  data_offset = stream->base_seq - seg->seq;
88  }
89 
90  SCLogDebug("stream %p buffer %p, stream_offset %"PRIu64", "
91  "data_offset %"PRIu16", SEQ %u BASE %u, data_len %u",
92  stream, &stream->sb, stream_offset,
93  data_offset, seg->seq, stream->base_seq, data_len);
94  DEBUG_VALIDATE_BUG_ON(data_offset > data_len);
95  if (data_len <= data_offset) {
96  SCReturnInt(0);
97  }
98 
99  int ret = StreamingBufferInsertAt(
100  &stream->sb, &seg->sbseg, data + data_offset, data_len - data_offset, stream_offset);
101  if (ret != 0) {
102  /* StreamingBufferInsertAt can return -2 only if the offset is wrong, which should be
103  * impossible in this path. */
104  DEBUG_VALIDATE_BUG_ON(ret != -1);
105  SCReturnInt(-1);
106  }
107 #ifdef DEBUG
108  {
109  const uint8_t *mydata;
110  uint32_t mydata_len;
111  uint64_t mydata_offset;
112  StreamingBufferGetData(&stream->sb, &mydata, &mydata_len, &mydata_offset);
113 
114  SCLogDebug("stream %p seg %p data in buffer %p of len %u and offset %"PRIu64,
115  stream, seg, &stream->sb, mydata_len, mydata_offset);
116  //PrintRawDataFp(stdout, mydata, mydata_len);
117  }
118 #endif
119  SCReturnInt(0);
120 }
121 
122 /** \internal
123  * \brief check if this segments overlaps with an in-tree seg.
124  * \retval true
125  * \retval false
126  */
127 static inline bool CheckOverlap(struct TCPSEG *tree, TcpSegment *seg)
128 {
129  const uint32_t re = SEG_SEQ_RIGHT_EDGE(seg);
130  SCLogDebug("start. SEQ %u payload_len %u. Right edge: %u. Seg %p",
131  seg->seq, seg->payload_len, re, seg);
132 
133  /* check forward */
134  TcpSegment *next = TCPSEG_RB_NEXT(seg);
135  if (next) {
136  // next has same seq, so data must overlap
137  if (SEQ_EQ(next->seq, seg->seq))
138  return true;
139  // our right edge is beyond next seq, overlap
140  if (SEQ_GT(re, next->seq))
141  return true;
142  }
143  /* check backwards */
144  TcpSegment *prev = TCPSEG_RB_PREV(seg);
145  if (prev) {
146  // prev has same seq, so data must overlap
147  if (SEQ_EQ(prev->seq, seg->seq))
148  return true;
149  // prev's right edge is beyond our seq, overlap
150  const uint32_t prev_re = SEG_SEQ_RIGHT_EDGE(prev);
151  if (SEQ_GT(prev_re, seg->seq))
152  return true;
153  }
154 
155  SCLogDebug("no overlap");
156  return false;
157 }
158 
159 /** \internal
160  * \brief insert the segment into the proper place in the tree
161  * don't worry about the data or overlaps
162  *
163  * \retval 2 not inserted, data overlap
164  * \retval 1 inserted with overlap detected
165  * \retval 0 inserted, no overlap
166  * \retval -ENOMEM memcap reached
167  * \retval -EINVAL seg out of seq range
168  */
169 static int DoInsertSegment (TcpStream *stream, TcpSegment *seg, TcpSegment **dup_seg, Packet *p)
170 {
171  /* in lossy traffic, we can get here with the wrong sequence numbers */
172  if (SEQ_LEQ(SEG_SEQ_RIGHT_EDGE(seg), stream->base_seq)) {
173  return -EINVAL;
174  }
175 
176  /* fast track */
177  if (RB_EMPTY(&stream->seg_tree)) {
178  SCLogDebug("empty tree, inserting seg %p seq %" PRIu32 ", "
179  "len %" PRIu32 "", seg, seg->seq, TCP_SEG_LEN(seg));
180  TCPSEG_RB_INSERT(&stream->seg_tree, seg);
181  stream->segs_right_edge = SEG_SEQ_RIGHT_EDGE(seg);
182  return 0;
183  }
184 
185  /* insert and then check if there was any overlap with other segments */
186  TcpSegment *res = TCPSEG_RB_INSERT(&stream->seg_tree, seg);
187  if (res) {
188  SCLogDebug("seg has a duplicate in the tree seq %u/%u",
189  res->seq, res->payload_len);
190  /* exact duplicate SEQ + payload_len */
191  *dup_seg = res;
192  return 2; // duplicate has overlap by definition.
193  } else {
194  if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), stream->segs_right_edge))
195  stream->segs_right_edge = SEG_SEQ_RIGHT_EDGE(seg);
196 
197  /* insert succeeded, now check if we overlap with someone */
198  if (CheckOverlap(&stream->seg_tree, seg) == true) {
199  SCLogDebug("seg %u has overlap in the tree", seg->seq);
200  return 1;
201  }
202  }
203  SCLogDebug("seg %u: no overlap", seg->seq);
204  return 0;
205 }
206 
207 /** \internal
208  * \brief handle overlap per list segment
209  *
210  * For a list segment handle the overlap according to the policy.
211  *
212  * The 'buf' parameter points to the memory that will be inserted into
213  * the stream after the overlap checks are complete. As it will
214  * unconditionally overwrite whats in the stream now, the overlap
215  * policies are applied to this buffer. It starts with the 'new' data,
216  * so when the policy states 'old' data has to be used, 'buf' is
217  * updated to contain the 'old' data here.
218  *
219  * \param buf stack allocated buffer sized p->payload_len that will be
220  * inserted into the stream buffer
221  *
222  * \retval 1 if data was different
223  * \retval 0 data was the same or we didn't check for differences
224  */
225 static int DoHandleDataOverlap(TcpStream *stream, const TcpSegment *list,
226  const TcpSegment *seg, uint8_t *buf, Packet *p)
227 {
228  SCLogDebug("handle overlap for segment %p seq %u len %u re %u, "
229  "list segment %p seq %u len %u re %u", seg, seg->seq,
231  list, list->seq, TCP_SEG_LEN(list), SEG_SEQ_RIGHT_EDGE(list));
232 
233  int data_is_different = 0;
234  int use_new_data = 0;
235 
236  if (StreamTcpInlineMode()) {
237  SCLogDebug("inline mode");
238  if (StreamTcpInlineSegmentCompare(stream, p, list) != 0) {
239  SCLogDebug("already accepted data not the same as packet data, rewrite packet");
240  StreamTcpInlineSegmentReplacePacket(stream, p, list);
241  data_is_different = 1;
242 
243  /* in inline mode we check for different data unconditionally,
244  * but setting events still depends on config */
245  if (check_overlap_different_data) {
247  }
248  }
249 
250  /* IDS mode */
251  } else {
252  if (check_overlap_different_data) {
253  if (StreamTcpInlineSegmentCompare(stream, p, list) != 0) {
254  SCLogDebug("data is different from what is in the list");
255  data_is_different = 1;
256  }
257  } else {
258  /* if we're not checking, assume it's different */
259  data_is_different = 1;
260  }
261 
262  /* apply overlap policies */
263 
264  if (stream->os_policy == OS_POLICY_LAST) {
265  /* buf will start with LAST data (from the segment),
266  * so if policy is LAST we're now done here. */
267  return (check_overlap_different_data && data_is_different);
268  }
269 
270  /* start at the same seq */
271  if (SEQ_EQ(seg->seq, list->seq)) {
272  SCLogDebug("seg starts at list segment");
273 
274  if (SEQ_LT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
275  SCLogDebug("seg ends before list end, end overlapped by list");
276  } else {
277  if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
278  SCLogDebug("seg ends beyond list end, list overlapped and more");
279  switch (stream->os_policy) {
280  case OS_POLICY_LINUX:
281  if (data_is_different) {
282  use_new_data = 1;
283  }
284  break;
285  }
286  } else {
287  SCLogDebug("full overlap");
288  }
289 
290  switch (stream->os_policy) {
291  case OS_POLICY_OLD_LINUX:
292  case OS_POLICY_SOLARIS:
293  case OS_POLICY_HPUX11:
294  if (data_is_different) {
295  use_new_data = 1;
296  }
297  break;
298  }
299  }
300 
301  /* new seg starts before list segment */
302  } else if (SEQ_LT(seg->seq, list->seq)) {
303  SCLogDebug("seg starts before list segment");
304 
305  if (SEQ_LT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
306  SCLogDebug("seg ends before list end, end overlapped by list");
307  } else {
308  if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
309  SCLogDebug("seg starts before and fully overlaps list and beyond");
310  } else {
311  SCLogDebug("seg starts before and fully overlaps list");
312  }
313 
314  switch (stream->os_policy) {
315  case OS_POLICY_SOLARIS:
316  case OS_POLICY_HPUX11:
317  if (data_is_different) {
318  use_new_data = 1;
319  }
320  break;
321  }
322  }
323 
324  switch (stream->os_policy) {
325  case OS_POLICY_BSD:
326  case OS_POLICY_HPUX10:
327  case OS_POLICY_IRIX:
328  case OS_POLICY_WINDOWS:
330  case OS_POLICY_OLD_LINUX:
331  case OS_POLICY_LINUX:
332  case OS_POLICY_MACOS:
333  if (data_is_different) {
334  use_new_data = 1;
335  }
336  break;
337  }
338 
339  /* new seg starts after list segment */
340  } else { //if (SEQ_GT(seg->seq, list->seq)) {
341  SCLogDebug("seg starts after list segment");
342 
343  if (SEQ_EQ(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
344  SCLogDebug("seg after and is fully overlapped by list");
345  } else if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(seg), SEG_SEQ_RIGHT_EDGE(list))) {
346  SCLogDebug("seg starts after list and ends after list");
347 
348  switch (stream->os_policy) {
349  case OS_POLICY_SOLARIS:
350  case OS_POLICY_HPUX11:
351  if (data_is_different) {
352  use_new_data = 1;
353  }
354  break;
355  }
356  } else {
357  SCLogDebug("seg starts after list and ends before list end");
358 
359  }
360  }
361  }
362 
363  SCLogDebug("data_is_different %s, use_new_data %s",
364  data_is_different ? "yes" : "no",
365  use_new_data ? "yes" : "no");
366 
367  /* if the data is different and we don't want to use the new (seg)
368  * data, we have to update buf with the list data */
369  if (data_is_different && !use_new_data) {
370  /* we need to copy list into seg */
371  uint32_t list_offset = 0;
372  uint32_t seg_offset = 0;
373  uint32_t list_len;
374  uint16_t seg_len = p->payload_len;
375  uint32_t list_seq = list->seq;
376 
377  const uint8_t *list_data;
378  StreamingBufferSegmentGetData(&stream->sb, &list->sbseg, &list_data, &list_len);
379  if (list_data == NULL || list_len == 0)
380  return 0;
381  BUG_ON(list_len > USHRT_MAX);
382 
383  /* if list seg is partially before base_seq, list_len (from stream) and
384  * TCP_SEG_LEN(list) will not be the same */
385  if (SEQ_GEQ(list->seq, stream->base_seq)) {
386  ;
387  } else {
388  list_seq = stream->base_seq;
389  list_len = SEG_SEQ_RIGHT_EDGE(list) - stream->base_seq;
390  }
391 
392  if (SEQ_LT(seg->seq, list_seq)) {
393  seg_offset = list_seq - seg->seq;
394  seg_len -= seg_offset;
395  } else if (SEQ_GT(seg->seq, list_seq)) {
396  list_offset = seg->seq - list_seq;
397  list_len -= list_offset;
398  }
399 
400  if (SEQ_LT(seg->seq + seg_offset + seg_len, list_seq + list_offset + list_len)) {
401  list_len -= (list_seq + list_offset + list_len) - (seg->seq + seg_offset + seg_len);
402  }
403  SCLogDebug("here goes nothing: list %u %u, seg %u %u", list_offset, list_len, seg_offset, seg_len);
404 
405  //PrintRawDataFp(stdout, list_data + list_offset, list_len);
406  //PrintRawDataFp(stdout, buf + seg_offset, seg_len);
407 
408  memcpy(buf + seg_offset, list_data + list_offset, list_len);
409  //PrintRawDataFp(stdout, buf, p->payload_len);
410  }
411  return (check_overlap_different_data && data_is_different);
412 }
413 
414 /** \internal
415  * \brief walk segment tree backwards to see if there are overlaps
416  *
417  * Walk back from the current segment which is already in the tree.
418  * We walk until we can't possibly overlap anymore.
419  */
420 static int DoHandleDataCheckBackwards(TcpStream *stream,
421  TcpSegment *seg, uint8_t *buf, Packet *p)
422 {
423  int retval = 0;
424 
425  SCLogDebug("check tree backwards: insert data for segment %p seq %u len %u re %u",
426  seg, seg->seq, TCP_SEG_LEN(seg), SEG_SEQ_RIGHT_EDGE(seg));
427 
428  /* check backwards */
429  TcpSegment *tree_seg = NULL, *s = seg;
430  RB_FOREACH_REVERSE_FROM(tree_seg, TCPSEG, s) {
431  if (tree_seg == seg)
432  continue;
433 
434  int overlap = 0;
435  if (SEQ_LEQ(SEG_SEQ_RIGHT_EDGE(tree_seg), stream->base_seq)) {
436  // segment entirely before base_seq
437  ;
438  } else if (SEQ_LEQ(tree_seg->seq + tree_seg->payload_len, seg->seq)) {
439  SCLogDebug("list segment too far to the left, no more overlap will be found");
440  break;
441  } else if (SEQ_GT(SEG_SEQ_RIGHT_EDGE(tree_seg), seg->seq)) {
442  overlap = 1;
443  }
444 
445  SCLogDebug("(back) tree seg %u len %u re %u overlap? %s",
446  tree_seg->seq, TCP_SEG_LEN(tree_seg),
447  SEG_SEQ_RIGHT_EDGE(tree_seg), overlap ? "yes" : "no");
448 
449  if (overlap) {
450  retval |= DoHandleDataOverlap(stream, tree_seg, seg, buf, p);
451  }
452  }
453  return retval;
454 }
455 
456 /** \internal
457  * \brief walk segment tree in forward direction to see if there are overlaps
458  *
459  * Walk forward from the current segment which is already in the tree.
460  * We walk until the next segs start with a SEQ beyond our right edge.
461  *
462  * \retval 1 data was different
463  * \retval 0 data was the same
464  */
465 static int DoHandleDataCheckForward(TcpStream *stream,
466  TcpSegment *seg, uint8_t *buf, Packet *p)
467 {
468  int retval = 0;
469 
470  uint32_t seg_re = SEG_SEQ_RIGHT_EDGE(seg);
471 
472  SCLogDebug("check list forward: insert data for segment %p seq %u len %u re %u",
473  seg, seg->seq, TCP_SEG_LEN(seg), seg_re);
474 
475  TcpSegment *tree_seg = NULL, *s = seg;
476  RB_FOREACH_FROM(tree_seg, TCPSEG, s) {
477  if (tree_seg == seg)
478  continue;
479 
480  int overlap = 0;
481  if (SEQ_GT(seg_re, tree_seg->seq))
482  overlap = 1;
483  else if (SEQ_LEQ(seg_re, tree_seg->seq)) {
484  SCLogDebug("tree segment %u too far ahead, "
485  "no more overlaps can happen", tree_seg->seq);
486  break;
487  }
488 
489  SCLogDebug("(fwd) in-tree seg %u len %u re %u overlap? %s",
490  tree_seg->seq, TCP_SEG_LEN(tree_seg),
491  SEG_SEQ_RIGHT_EDGE(tree_seg), overlap ? "yes" : "no");
492 
493  if (overlap) {
494  retval |= DoHandleDataOverlap(stream, tree_seg, seg, buf, p);
495  }
496  }
497  return retval;
498 }
499 
500 /**
501  * \param tree_seg in-tree duplicate of `seg`
502  * \retval res 0 ok, -1 insertion error due to memcap
503  */
504 static int DoHandleData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
505  TcpStream *stream, TcpSegment *seg, TcpSegment *tree_seg, Packet *p)
506 {
507  int result = 0;
508  TcpSegment *handle = seg;
509 
510  SCLogDebug("insert data for segment %p seq %u len %u re %u",
511  seg, seg->seq, TCP_SEG_LEN(seg), SEG_SEQ_RIGHT_EDGE(seg));
512 
513  /* create temporary buffer to contain the data we will insert. Overlap
514  * handling may update it. By using this we don't have to track whether
515  * parts of the data are already inserted or not. */
516  uint8_t buf[p->payload_len];
517  memcpy(buf, p->payload, p->payload_len);
518 
519  /* if tree_seg is set, we have an exact duplicate that we need to check */
520  if (tree_seg) {
521  DoHandleDataOverlap(stream, tree_seg, seg, buf, p);
522  handle = tree_seg;
523  }
524 
525  const bool is_head = !(TCPSEG_RB_PREV(handle));
526  const bool is_tail = !(TCPSEG_RB_NEXT(handle));
527 
528  /* new list head */
529  if (is_head && !is_tail) {
530  result = DoHandleDataCheckForward(stream, handle, buf, p);
531 
532  /* new list tail */
533  } else if (!is_head && is_tail) {
534  result = DoHandleDataCheckBackwards(stream, handle, buf, p);
535 
536  /* middle of the list */
537  } else if (!is_head && !is_tail) {
538  result = DoHandleDataCheckBackwards(stream, handle, buf, p);
539  result |= DoHandleDataCheckForward(stream, handle, buf, p);
540  }
541 
542  /* we had an overlap with different data */
543  if (result) {
546  }
547 
548  /* insert the temp buffer now that we've (possibly) updated
549  * it to account for the overlap policies */
550  int res = InsertSegmentDataCustom(stream, handle, buf, p->payload_len);
551  if (res < 0) {
552  if (res == -1) {
554  }
555  return -1;
556  }
557 
558  return 0;
559 }
560 
561 /** \internal
562  * \brief Add the header data to the segment
563  * \param rp packet to take the headers from. Might differ from `pp` in tunnels.
564  * \param pp packet to take the payload size from.
565  */
566 static void StreamTcpSegmentAddPacketDataDo(TcpSegment *seg, const Packet *rp, const Packet *pp)
567 {
568  if (GET_PKT_DATA(rp) != NULL && GET_PKT_LEN(rp) > pp->payload_len) {
569  seg->pcap_hdr_storage->ts.tv_sec = rp->ts.tv_sec;
570  seg->pcap_hdr_storage->ts.tv_usec = rp->ts.tv_usec;
572  /*
573  * pkt_hdr members are initially allocated 64 bytes of memory. Thus,
574  * need to check that this is sufficient and allocate more memory if
575  * not.
576  */
577  if (seg->pcap_hdr_storage->pktlen > seg->pcap_hdr_storage->alloclen) {
578  uint8_t *tmp_pkt_hdr = StreamTcpReassembleRealloc(seg->pcap_hdr_storage->pkt_hdr,
580  if (tmp_pkt_hdr == NULL) {
581  SCLogDebug("Failed to realloc");
582  seg->pcap_hdr_storage->ts.tv_sec = 0;
583  seg->pcap_hdr_storage->ts.tv_usec = 0;
584  seg->pcap_hdr_storage->pktlen = 0;
585  return;
586  } else {
587  seg->pcap_hdr_storage->pkt_hdr = tmp_pkt_hdr;
589  }
590  }
591  memcpy(seg->pcap_hdr_storage->pkt_hdr, GET_PKT_DATA(rp),
592  (size_t)GET_PKT_LEN(rp) - pp->payload_len);
593  } else {
594  seg->pcap_hdr_storage->ts.tv_sec = 0;
595  seg->pcap_hdr_storage->ts.tv_usec = 0;
596  seg->pcap_hdr_storage->pktlen = 0;
597  }
598 }
599 
600 /**
601  * \brief Adds the following information to the TcpSegment from the current
602  * packet being processed: time values, packet length, and the
603  * header data of the packet. This information is added to the TcpSegment so
604  * that it can be used in pcap capturing (log-pcap-stream) to dump the tcp
605  * session at the beginning of the pcap capture.
606  * \param seg TcpSegment where information is being stored.
607  * \param p Packet being processed.
608  * \param tv Thread-specific variables.
609  * \param ra_ctx TcpReassembly thread-specific variables
610  */
611 static void StreamTcpSegmentAddPacketData(
613 {
614  if (seg->pcap_hdr_storage == NULL || seg->pcap_hdr_storage->pkt_hdr == NULL) {
615  return;
616  }
617 
618  if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
619  Packet *rp = p->root;
620  StreamTcpSegmentAddPacketDataDo(seg, rp, p);
621  } else {
622  StreamTcpSegmentAddPacketDataDo(seg, p, p);
623  }
624 }
625 
626 /**
627  * \return 0 ok
628  * \return -1 segment not inserted due to memcap issue
629  *
630  * \param seg segment, this function takes total ownership
631  *
632  * In case of error, this function returns the segment to the pool
633  */
635  TcpStream *stream, TcpSegment *seg, Packet *p,
636  uint32_t pkt_seq, uint8_t *pkt_data, uint16_t pkt_datalen)
637 {
638  SCEnter();
639 
640  TcpSegment *dup_seg = NULL;
641 
642  /* insert segment into list. Note: doesn't handle the data */
643  int r = DoInsertSegment (stream, seg, &dup_seg, p);
644 
646  StreamTcpSegmentAddPacketData(seg, p, tv, ra_ctx);
647  }
648 
649  if (likely(r == 0)) {
650  /* no overlap, straight data insert */
651  int res = InsertSegmentDataCustom(stream, seg, pkt_data, pkt_datalen);
652  if (res < 0) {
653  if (res == -1) {
655  }
657  StreamTcpRemoveSegmentFromStream(stream, seg);
659  if (res == -1) {
660  SCReturnInt(-ENOMEM);
661  }
662  SCReturnInt(-1);
663  }
664 
665  } else if (r == 1 || r == 2) {
666  SCLogDebug("overlap (%s%s)", r == 1 ? "normal" : "", r == 2 ? "duplicate" : "");
667 
668  if (r == 2) {
669  SCLogDebug("dup_seg %p", dup_seg);
670  }
671 
672  /* XXX should we exclude 'retransmissions' here? */
674 
675  /* now let's consider the data in the overlap case */
676  int res = DoHandleData(tv, ra_ctx, stream, seg, dup_seg, p);
677  if (res < 0) {
679 
680  if (r == 1) // r == 2 mean seg wasn't added to stream
681  StreamTcpRemoveSegmentFromStream(stream, seg);
682 
684  SCReturnInt(-1);
685  }
686  if (r == 2) {
687  SCLogDebug("duplicate segment %u/%u, discard it",
688  seg->seq, seg->payload_len);
689 
691 #ifdef DEBUG
692  if (SCLogDebugEnabled()) {
693  TcpSegment *s = NULL, *safe = NULL;
694  RB_FOREACH_SAFE(s, TCPSEG, &stream->seg_tree, safe)
695  {
696  SCLogDebug("tree: seg %p, SEQ %"PRIu32", LEN %"PRIu16", SUM %"PRIu32"%s%s%s",
697  s, s->seq, TCP_SEG_LEN(s),
698  (uint32_t)(s->seq + TCP_SEG_LEN(s)),
699  s->seq == seg->seq ? " DUPLICATE" : "",
700  TCPSEG_RB_PREV(s) == NULL ? " HEAD" : "",
701  TCPSEG_RB_NEXT(s) == NULL ? " TAIL" : "");
702  }
703  }
704 #endif
705  }
706  }
707 
708  SCReturnInt(0);
709 }
710 
711 
712 /*
713  * Pruning & removal
714  */
715 
716 
717 static inline bool SegmentInUse(const TcpStream *stream, const TcpSegment *seg)
718 {
719  /* if proto detect isn't done, we're not returning */
720  if (!(stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
722  SCReturnInt(true);
723  }
724  }
725 
726  SCReturnInt(false);
727 }
728 
729 
730 /** \internal
731  * \brief check if we can remove a segment from our segment list
732  *
733  * \retval true
734  * \retval false
735  */
736 static inline bool StreamTcpReturnSegmentCheck(const TcpStream *stream, const TcpSegment *seg)
737 {
738  if (SegmentInUse(stream, seg)) {
739  SCReturnInt(false);
740  }
741 
742  if (!(StreamingBufferSegmentIsBeforeWindow(&stream->sb, &seg->sbseg))) {
743  SCReturnInt(false);
744  }
745 
746  SCReturnInt(true);
747 }
748 
749 static inline uint64_t GetLeftEdgeForApp(Flow *f, TcpSession *ssn, TcpStream *stream)
750 {
751  const FramesContainer *frames_container = AppLayerFramesGetContainer(f);
752  if (frames_container == NULL)
753  return STREAM_APP_PROGRESS(stream);
754 
755  const Frames *frames =
756  stream == &ssn->client ? &frames_container->toserver : &frames_container->toclient;
757  // const uint64_t x = FramesLeftEdge(stream, frames);
758  // BUG_ON(x != (frames->left_edge_rel + STREAM_BASE_OFFSET(stream)));
759  // return x;
760  const uint64_t o = (uint64_t)frames->left_edge_rel + STREAM_BASE_OFFSET(stream);
761  SCLogDebug(
762  "%s: frames left edge: %" PRIu64, &ssn->client == stream ? "toserver" : "toclient", o);
763  return o;
764 }
765 
766 static inline uint64_t GetLeftEdge(Flow *f, TcpSession *ssn, TcpStream *stream)
767 {
768  uint64_t left_edge = 0;
769  const bool use_app = !(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
770  const bool use_raw = !(stream->flags & STREAMTCP_STREAM_FLAG_DISABLE_RAW);
771  const bool use_log = stream_config.streaming_log_api;
772  SCLogDebug("use_app %d use_raw %d use_log %d", use_app, use_raw, use_log);
773 
774  if (use_raw) {
775  uint64_t raw_progress = STREAM_RAW_PROGRESS(stream);
776 
777  if (StreamTcpInlineMode() == TRUE) {
778  uint32_t chunk_size = (stream == &ssn->client) ?
781  if (raw_progress < (uint64_t)chunk_size) {
782  raw_progress = 0;
783  } else {
784  raw_progress -= (uint64_t)chunk_size;
785  }
786  }
787 
788  /* apply min inspect depth: if it is set we need to keep data
789  * before the raw progress. */
790  if (use_app && stream->min_inspect_depth && ssn->state < TCP_CLOSED) {
791  if (raw_progress < stream->min_inspect_depth)
792  raw_progress = 0;
793  else
794  raw_progress -= stream->min_inspect_depth;
795 
796  SCLogDebug("stream->min_inspect_depth %u, raw_progress %"PRIu64,
797  stream->min_inspect_depth, raw_progress);
798  }
799 
800  if (use_app) {
801  const uint64_t app_le = GetLeftEdgeForApp(f, ssn, stream);
802  left_edge = MIN(app_le, raw_progress);
803  SCLogDebug("left_edge %" PRIu64 ", using both app:%" PRIu64 ", raw:%" PRIu64, left_edge,
804  app_le, raw_progress);
805  } else {
806  left_edge = raw_progress;
807  SCLogDebug("left_edge %"PRIu64", using only raw:%"PRIu64,
808  left_edge, raw_progress);
809  }
810  } else if (use_app) {
811  const uint64_t app_le = GetLeftEdgeForApp(f, ssn, stream);
812  left_edge = app_le;
813  SCLogDebug("left_edge %" PRIu64 ", using only app:%" PRIu64, left_edge, app_le);
814  } else {
815  left_edge = STREAM_BASE_OFFSET(stream) + stream->sb.buf_offset;
816  SCLogDebug("no app & raw: left_edge %"PRIu64" (full stream)", left_edge);
817  }
818 
819  if (use_log) {
820  if (use_app || use_raw) {
821  left_edge = MIN(left_edge, STREAM_LOG_PROGRESS(stream));
822  } else {
823  left_edge = STREAM_LOG_PROGRESS(stream);
824  }
825  }
826 
827  uint64_t last_ack_abs = STREAM_BASE_OFFSET(stream);
828  if (STREAM_LASTACK_GT_BASESEQ(stream)) {
829  last_ack_abs += (stream->last_ack - stream->base_seq);
830  }
831  /* in IDS mode we shouldn't see the base_seq pass last_ack */
832  DEBUG_VALIDATE_BUG_ON(last_ack_abs < left_edge && StreamTcpInlineMode() == FALSE && !f->ffr &&
833  ssn->state < TCP_CLOSED);
834  left_edge = MIN(left_edge, last_ack_abs);
835 
836  /* if we're told to look for overlaps with different data we should
837  * consider data that is ack'd as well. Injected packets may have
838  * been ack'd or injected packet may be too late. */
839  if (StreamTcpInlineMode() == FALSE && check_overlap_different_data) {
840  const uint32_t window = stream->window ? stream->window : 4096;
841  if (window < left_edge)
842  left_edge -= window;
843  else
844  left_edge = 0;
845 
846  SCLogDebug("stream:%p left_edge %"PRIu64, stream, left_edge);
847  }
848 
849  if (left_edge > 0) {
850  /* we know left edge based on the progress values now,
851  * lets adjust it to make sure in-use segments still have
852  * data */
853  TcpSegment *seg = NULL;
854  RB_FOREACH(seg, TCPSEG, &stream->seg_tree) {
855  if (TCP_SEG_OFFSET(seg) > left_edge) {
856  SCLogDebug("seg beyond left_edge, we're done");
857  break;
858  }
859 
860  if (SegmentInUse(stream, seg)) {
861  left_edge = TCP_SEG_OFFSET(seg);
862  SCLogDebug("in-use seg before left_edge, adjust to %"PRIu64" and bail", left_edge);
863  break;
864  }
865  }
866  }
867 
868  return left_edge;
869 }
870 
871 static void StreamTcpRemoveSegmentFromStream(TcpStream *stream, TcpSegment *seg)
872 {
873  RB_REMOVE(TCPSEG, &stream->seg_tree, seg);
874 }
875 
876 /** \brief Remove idle TcpSegments from TcpSession
877  *
878  * Checks app progress and raw progress and progresses them
879  * if needed, slides the streaming buffer, then gets rid of
880  * excess segments.
881  *
882  * \param f flow
883  * \param flags direction flags
884  */
886 {
887  SCEnter();
888 
889  if (f == NULL || f->protoctx == NULL) {
890  SCReturn;
891  }
892 
893  TcpSession *ssn = f->protoctx;
894  TcpStream *stream = NULL;
895 
896  if (flags & STREAM_TOSERVER) {
897  stream = &ssn->client;
898  } else if (flags & STREAM_TOCLIENT) {
899  stream = &ssn->server;
900  } else {
901  SCReturn;
902  }
903 
905  return;
906  }
907 
910  SCLogDebug("ssn %p / stream %p: reassembly depth reached, "
911  "STREAMTCP_STREAM_FLAG_NOREASSEMBLY set", ssn, stream);
913  StreamingBufferClear(&stream->sb);
914  return;
915 
916  } else if ((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) &&
918  SCLogDebug("ssn %p / stream %p: both app and raw are done, "
919  "STREAMTCP_STREAM_FLAG_NOREASSEMBLY set", ssn, stream);
922  StreamingBufferClear(&stream->sb);
923  return;
924  }
925 
926  const uint64_t left_edge = GetLeftEdge(f, ssn, stream);
927  if (left_edge && left_edge > STREAM_BASE_OFFSET(stream)) {
928  uint32_t slide = left_edge - STREAM_BASE_OFFSET(stream);
929  SCLogDebug("buffer sliding %u to offset %"PRIu64, slide, left_edge);
930 
932  AppLayerFramesSlide(f, slide, flags & (STREAM_TOSERVER | STREAM_TOCLIENT));
933  }
934  StreamingBufferSlideToOffset(&stream->sb, left_edge);
935  stream->base_seq += slide;
936 
937  if (slide <= stream->app_progress_rel) {
938  stream->app_progress_rel -= slide;
939  } else {
940  stream->app_progress_rel = 0;
941  }
942  if (slide <= stream->raw_progress_rel) {
943  stream->raw_progress_rel -= slide;
944  } else {
945  stream->raw_progress_rel = 0;
946  }
947  if (slide <= stream->log_progress_rel) {
948  stream->log_progress_rel -= slide;
949  } else {
950  stream->log_progress_rel = 0;
951  }
952 
953  SCLogDebug("stream base_seq %u at stream offset %"PRIu64,
954  stream->base_seq, STREAM_BASE_OFFSET(stream));
955  }
956 
957  /* loop through the segments and remove all not in use */
958  TcpSegment *seg = NULL, *safe = NULL;
959  RB_FOREACH_SAFE(seg, TCPSEG, &stream->seg_tree, safe)
960  {
961  SCLogDebug("seg %p, SEQ %"PRIu32", LEN %"PRIu16", SUM %"PRIu32,
962  seg, seg->seq, TCP_SEG_LEN(seg),
963  (uint32_t)(seg->seq + TCP_SEG_LEN(seg)));
964 
965  if (StreamTcpReturnSegmentCheck(stream, seg) == 0) {
966  SCLogDebug("not removing segment");
967  break;
968  }
969 
970  StreamTcpRemoveSegmentFromStream(stream, seg);
972  SCLogDebug("removed segment");
973  continue;
974  }
975 
976  SCReturn;
977 }
978 
979 
980 /*
981  * unittests
982  */
983 
984 #ifdef UNITTESTS
985 #include "tests/stream-tcp-list.c"
986 #endif
StreamTcpSetEvent
#define StreamTcpSetEvent(p, e)
Definition: stream-tcp-private.h:261
TcpStream_
Definition: stream-tcp-private.h:106
StreamingBuffer_::buf_offset
uint32_t buf_offset
Definition: util-streaming-buffer.h:99
RB_GENERATE
RB_GENERATE(TCPSEG, TcpSegment, rb, TcpSegmentCompare)
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
StreamTcpSegmentReturntoPool
void StreamTcpSegmentReturntoPool(TcpSegment *seg)
Function to return the segment back to the pool.
Definition: stream-tcp-reassemble.c:369
IsTcpSessionDumpingEnabled
bool IsTcpSessionDumpingEnabled(void)
Definition: stream-tcp-reassemble.c:89
TCP_SEG_LEN
#define TCP_SEG_LEN(seg)
Definition: stream-tcp-private.h:94
stream-tcp-inline.h
stream-tcp.h
RB_REMOVE
#define RB_REMOVE(name, x, y)
Definition: tree.h:773
StreamTcpReassembleInsertSegment
int StreamTcpReassembleInsertSegment(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, TcpSegment *seg, Packet *p, uint32_t pkt_seq, uint8_t *pkt_data, uint16_t pkt_datalen)
Definition: stream-tcp-list.c:634
TcpStream_::seg_tree
struct TCPSEG seg_tree
Definition: stream-tcp-private.h:135
OS_POLICY_MACOS
@ OS_POLICY_MACOS
Definition: stream-tcp-reassemble.h:45
TcpStream_::log_progress_rel
uint32_t log_progress_rel
Definition: stream-tcp-private.h:128
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
OS_POLICY_OLD_LINUX
@ OS_POLICY_OLD_LINUX
Definition: stream-tcp-reassemble.h:38
Packet_::payload
uint8_t * payload
Definition: decode.h:567
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6576
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:71
OS_POLICY_IRIX
@ OS_POLICY_IRIX
Definition: stream-tcp-reassemble.h:44
TcpStream_::os_policy
uint8_t os_policy
Definition: stream-tcp-private.h:110
Flow_
Flow data structure.
Definition: flow.h:356
TcpSegment::sbseg
StreamingBufferSegment sbseg
Definition: stream-tcp-private.h:77
StreamTcpReassembleConfigEnableOverlapCheck
void StreamTcpReassembleConfigEnableOverlapCheck(void)
Definition: stream-tcp-list.c:40
IS_TUNNEL_ROOT_PKT
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:793
StreamingBufferGetData
int StreamingBufferGetData(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t *stream_offset)
Definition: util-streaming-buffer.c:857
StreamTcpInlineSegmentReplacePacket
void StreamTcpInlineSegmentReplacePacket(const TcpStream *stream, Packet *p, const TcpSegment *seg)
Replace (part of) the payload portion of a packet by the data in a TCP segment.
Definition: stream-tcp-inline.c:113
rust.h
TcpReassemblyThreadCtx_::counter_tcp_reass_overlap
uint16_t counter_tcp_reass_overlap
Definition: stream-tcp-reassemble.h:76
MIN
#define MIN(x, y)
Definition: suricata-common.h:380
Frames
Definition: app-layer-frames.h:56
FramesContainer
Definition: app-layer-frames.h:70
stream-tcp-reassemble.h
TcpSegment::seq
uint32_t seq
Definition: stream-tcp-private.h:75
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
@ STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
Definition: decode-events.h:289
TcpReassemblyThreadCtx_::counter_tcp_reass_overlap_diff_data
uint16_t counter_tcp_reass_overlap_diff_data
Definition: stream-tcp-reassemble.h:78
TcpStreamCnf_::streaming_log_api
bool streaming_log_api
Definition: stream-tcp.h:66
Frames::left_edge_rel
uint32_t left_edge_rel
Definition: app-layer-frames.h:59
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:115
Flow_::protoctx
void * protoctx
Definition: flow.h:454
stream_offset
uint64_t stream_offset
Definition: util-streaming-buffer.h:1
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:568
STREAMTCP_STREAM_FLAG_DEPTH_REACHED
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Definition: stream-tcp-private.h:216
TcpSegmentPcapHdrStorage_::pktlen
uint32_t pktlen
Definition: stream-tcp-private.h:67
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:281
STREAM_LOG_PROGRESS
#define STREAM_LOG_PROGRESS(stream)
Definition: stream-tcp-private.h:146
StreamingBufferClear
void StreamingBufferClear(StreamingBuffer *sb)
Definition: util-streaming-buffer.c:131
TCP_SEG_OFFSET
#define TCP_SEG_OFFSET(seg)
Definition: stream-tcp-private.h:95
TcpReassemblyThreadCtx_::counter_tcp_reass_data_normal_fail
uint16_t counter_tcp_reass_data_normal_fail
Definition: stream-tcp-reassemble.h:80
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:115
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:72
RB_EMPTY
#define RB_EMPTY(head)
Definition: tree.h:327
StreamTcpReassembleRealloc
void * StreamTcpReassembleRealloc(void *optr, size_t orig_size, size_t size)
Definition: stream-tcp-reassemble.c:223
StreamingBufferSegmentIsBeforeWindow
int StreamingBufferSegmentIsBeforeWindow(const StreamingBuffer *sb, const StreamingBufferSegment *seg)
Definition: util-streaming-buffer.c:739
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:143
TcpStream_::min_inspect_depth
uint32_t min_inspect_depth
Definition: stream-tcp-private.h:130
TcpSegmentCompare
int TcpSegmentCompare(struct TcpSegment *a, struct TcpSegment *b)
compare function for the Segment tree
Definition: stream-tcp-list.c:51
util-print.h
OS_POLICY_BSD
@ OS_POLICY_BSD
Definition: stream-tcp-reassemble.h:36
RB_FOREACH_SAFE
#define RB_FOREACH_SAFE(x, name, head, y)
Definition: tree.h:791
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:216
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:274
TcpStream_::segs_right_edge
uint32_t segs_right_edge
Definition: stream-tcp-private.h:136
AppLayerFramesSlide
void AppLayerFramesSlide(Flow *f, const uint32_t slide, const uint8_t direction)
Definition: app-layer-frames.c:329
stream-tcp-list.h
StreamTcpPruneSession
void StreamTcpPruneSession(Flow *f, uint8_t flags)
Remove idle TcpSegments from TcpSession.
Definition: stream-tcp-list.c:885
TRUE
#define TRUE
Definition: suricata-common.h:33
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
RB_FOREACH
#define RB_FOREACH(x, name, head)
Definition: tree.h:781
FALSE
#define FALSE
Definition: suricata-common.h:34
SCReturn
#define SCReturn
Definition: util-debug.h:300
TcpSegment
Definition: stream-tcp-private.h:72
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:291
Packet_
Definition: decode.h:425
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:185
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:215
stream-tcp-private.h
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
SEG_SEQ_RIGHT_EDGE
#define SEG_SEQ_RIGHT_EDGE(seg)
Definition: stream-tcp-private.h:97
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:790
StreamTcpReturnStreamSegments
void StreamTcpReturnStreamSegments(TcpStream *stream)
return all segments in this stream into the pool(s)
Definition: stream-tcp-reassemble.c:386
TcpSegment::payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:74
TcpStream_::raw_progress_rel
uint32_t raw_progress_rel
Definition: stream-tcp-private.h:127
stream-tcp-list.c
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:161
Flow_::ffr
uint8_t ffr
Definition: flow.h:396
app-layer-frames.h
SEQ_GEQ
#define SEQ_GEQ(a, b)
Definition: stream-tcp-private.h:253
flags
uint8_t flags
Definition: decode-gre.h:0
OS_POLICY_HPUX10
@ OS_POLICY_HPUX10
Definition: stream-tcp-reassemble.h:42
Packet_::ts
struct timeval ts
Definition: decode.h:468
suricata-common.h
SEQ_GT
#define SEQ_GT(a, b)
Definition: stream-tcp-private.h:252
util-streaming-buffer.h
TcpSegmentPcapHdrStorage_::ts
struct timeval ts
Definition: stream-tcp-private.h:66
TcpStream_::base_seq
uint32_t base_seq
Definition: stream-tcp-private.h:124
TcpStream_::sb
StreamingBuffer sb
Definition: stream-tcp-private.h:134
TcpSegmentPcapHdrStorage_::alloclen
uint32_t alloclen
Definition: stream-tcp-private.h:68
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:285
OS_POLICY_SOLARIS
@ OS_POLICY_SOLARIS
Definition: stream-tcp-reassemble.h:41
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
OS_POLICY_WINDOWS
@ OS_POLICY_WINDOWS
Definition: stream-tcp-reassemble.h:46
TcpStreamCnf_::reassembly_toclient_chunk_size
uint16_t reassembly_toclient_chunk_size
Definition: stream-tcp.h:64
util-validate.h
StreamTcpInlineSegmentCompare
int StreamTcpInlineSegmentCompare(const TcpStream *stream, const Packet *p, const TcpSegment *seg)
Compare the shared data portion of two segments.
Definition: stream-tcp-inline.c:48
Packet_::root
struct Packet_ * root
Definition: decode.h:612
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:284
TcpSegmentPcapHdrStorage_::pkt_hdr
uint8_t * pkt_hdr
Definition: stream-tcp-private.h:69
OS_POLICY_LAST
@ OS_POLICY_LAST
Definition: stream-tcp-reassemble.h:50
StreamingBufferSlideToOffset
void StreamingBufferSlideToOffset(StreamingBuffer *sb, uint64_t offset)
slide to absolute offset
Definition: util-streaming-buffer.c:531
TcpSegment::pcap_hdr_storage
TcpSegmentPcapHdrStorage * pcap_hdr_storage
Definition: stream-tcp-private.h:78
SEQ_LT
#define SEQ_LT(a, b)
Definition: stream-tcp-private.h:250
TcpStream_::app_progress_rel
uint32_t app_progress_rel
Definition: stream-tcp-private.h:126
OS_POLICY_LINUX
@ OS_POLICY_LINUX
Definition: stream-tcp-reassemble.h:39
TcpReassemblyThreadCtx_::counter_tcp_reass_data_overlap_fail
uint16_t counter_tcp_reass_data_overlap_fail
Definition: stream-tcp-reassemble.h:81
SEQ_EQ
#define SEQ_EQ(a, b)
Definition: stream-tcp-private.h:249
OS_POLICY_HPUX11
@ OS_POLICY_HPUX11
Definition: stream-tcp-reassemble.h:43
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:59
StreamingBufferInsertAt
int StreamingBufferInsertAt(StreamingBuffer *sb, StreamingBufferSegment *seg, const uint8_t *data, uint32_t data_len, uint64_t offset)
Definition: util-streaming-buffer.c:677
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:199
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:212
OS_POLICY_WINDOWS2K3
@ OS_POLICY_WINDOWS2K3
Definition: stream-tcp-reassemble.h:48
SEQ_LEQ
#define SEQ_LEQ(a, b)
Definition: stream-tcp-private.h:251
RB_FOREACH_REVERSE_FROM
#define RB_FOREACH_REVERSE_FROM(x, name, y)
Definition: tree.h:801
STREAMTCP_STREAM_FLAG_DISABLE_RAW
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
Definition: stream-tcp-private.h:231
likely
#define likely(expr)
Definition: util-optimize.h:32
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:144
TcpSession_
Definition: stream-tcp-private.h:272
RB_FOREACH_FROM
#define RB_FOREACH_FROM(x, name, y)
Definition: tree.h:786
StreamingBufferSegmentGetData
void StreamingBufferSegmentGetData(const StreamingBuffer *sb, const StreamingBufferSegment *seg, const uint8_t **data, uint32_t *data_len)
Definition: util-streaming-buffer.c:810
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
TcpReassemblyThreadCtx_::counter_tcp_segment_memcap
uint16_t counter_tcp_segment_memcap
Definition: stream-tcp-reassemble.h:65
SCLogDebugEnabled
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:636
TcpStreamCnf_::reassembly_toserver_chunk_size
uint16_t reassembly_toserver_chunk_size
Definition: stream-tcp.h:63
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAM_RAW_PROGRESS
#define STREAM_RAW_PROGRESS(stream)
Definition: stream-tcp-private.h:145