Actions
Bug #1107
closedflow timeout causes decoders to run on pseudo packets
Affected Versions:
Effort:
Difficulty:
Label:
Description
The flow timeout code injects packets into the decoders. It does so to guarantee the 'autofp' runmode will then send the pseudo packets to the correct stream+detect thread. The side effect is however, that the decoders run for this pseudo packet.
This has several unwanted side effects:- decoder counters are incremented
- flow engine is invoked even though the packet already has a flow reference
- unnecessary cycles are spent on all this
#4 0x00000000008358cb in FlowHandlePacket (tv=0x30750c0, p=0x7fcbb87307e0) at flow.c:250 #5 0x000000000052b06b in DecodeTCP (tv=0x30750c0, dtv=0x7fcbf8010eb0, p=0x7fcbb87307e0, pkt=0x7fcbb8730fac "\037\220\341>\025Ĉդ\214\215\250P\020\n", len=20, pq=0x31c0980) at decode-tcp.c:206 #6 0x000000000050d926 in DecodeIPV4 (tv=0x30750c0, dtv=0x7fcbf8010eb0, p=0x7fcbb87307e0, pkt=0x7fcbb8730f98 "E", len=40, pq=0x31c0980) at decode-ipv4.c:557 #7 0x00000000005252fc in DecodeRaw (tv=0x30750c0, dtv=0x7fcbf8010eb0, p=0x7fcbb87307e0, pkt=0x7fcbb8730f98 "E", len=40, pq=0x31c0980) at decode-raw.c:58 #8 0x00000000008c2bd2 in DecodePcapFile (tv=0x30750c0, p=0x7fcbb87307e0, data=0x7fcbf8010eb0, pq=0x31c0980, postpq=0x0) at source-pcap-file.c:412 #9 0x000000000095f2a1 in TmThreadsSlotVarRun (tv=0x30750c0, p=0x7fcbb87307e0, slot=0x31c0940) at tm-threads.c:559 #10 0x000000000083fd4b in TmThreadsSlotProcessPkt (tv=0x30750c0, s=0x31c0940, p=0x7fcbb87307e0) at tm-threads.h:142 #11 0x00000000008400d9 in FlowForceReassemblyFlushPendingPseudoPackets () at flow-timeout.c:88 #12 0x0000000000842814 in FlowForceReassembly () at flow-timeout.c:676 #13 0x00000000009553cf in main (argc=10, argv=0x7fff5de7d9f8) at suricata.c:2294
This is a complex sub-system, so the fix for the 2.0 release will be a hack. Each of the decoder entry points will bail out quickly when such a pseudo packet is encountered.
Updated by Victor Julien almost 11 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Fixed through https://github.com/inliniac/suricata/pull/836
Actions