Project

General

Profile

Actions

Bug #1107

closed

flow timeout causes decoders to run on pseudo packets

Added by Victor Julien about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The flow timeout code injects packets into the decoders. It does so to guarantee the 'autofp' runmode will then send the pseudo packets to the correct stream+detect thread. The side effect is however, that the decoders run for this pseudo packet.

This has several unwanted side effects:
  • decoder counters are incremented
  • flow engine is invoked even though the packet already has a flow reference
  • unnecessary cycles are spent on all this
#4  0x00000000008358cb in FlowHandlePacket (tv=0x30750c0, p=0x7fcbb87307e0) at flow.c:250
#5  0x000000000052b06b in DecodeTCP (tv=0x30750c0, dtv=0x7fcbf8010eb0, p=0x7fcbb87307e0, pkt=0x7fcbb8730fac "\037\220\341>\025Ĉդ\214\215\250P\020\n", len=20, pq=0x31c0980) at decode-tcp.c:206
#6  0x000000000050d926 in DecodeIPV4 (tv=0x30750c0, dtv=0x7fcbf8010eb0, p=0x7fcbb87307e0, pkt=0x7fcbb8730f98 "E", len=40, pq=0x31c0980) at decode-ipv4.c:557
#7  0x00000000005252fc in DecodeRaw (tv=0x30750c0, dtv=0x7fcbf8010eb0, p=0x7fcbb87307e0, pkt=0x7fcbb8730f98 "E", len=40, pq=0x31c0980) at decode-raw.c:58
#8  0x00000000008c2bd2 in DecodePcapFile (tv=0x30750c0, p=0x7fcbb87307e0, data=0x7fcbf8010eb0, pq=0x31c0980, postpq=0x0) at source-pcap-file.c:412
#9  0x000000000095f2a1 in TmThreadsSlotVarRun (tv=0x30750c0, p=0x7fcbb87307e0, slot=0x31c0940) at tm-threads.c:559
#10 0x000000000083fd4b in TmThreadsSlotProcessPkt (tv=0x30750c0, s=0x31c0940, p=0x7fcbb87307e0) at tm-threads.h:142
#11 0x00000000008400d9 in FlowForceReassemblyFlushPendingPseudoPackets () at flow-timeout.c:88
#12 0x0000000000842814 in FlowForceReassembly () at flow-timeout.c:676
#13 0x00000000009553cf in main (argc=10, argv=0x7fff5de7d9f8) at suricata.c:2294

This is a complex sub-system, so the fix for the 2.0 release will be a hack. Each of the decoder entry points will bail out quickly when such a pseudo packet is encountered.

Actions #1

Updated by Victor Julien about 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF