Project

General

Profile

Actions

Bug #7252

closed

stream/reassemble: GetBlock implies gap without searching the entire tree for block

Added by Shivani Bhardwaj 2 months ago. Updated 2 months ago.

Status:
Rejected
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

GetBlock fn has this logic:

      for ( ; blk != NULL; blk = SBB_RB_NEXT(blk)) {
         if (blk->offset >= offset) {
              return blk;         
         } else if ((blk->offset + blk->len) > offset) {
              return blk;         
          }                       
      }                           
      return NULL; 

This means that the moment a block with an offset greater than the asked offset was found, it was returned.

In the caller, therefore, the following is done:

          /* block past out offset */
          else if (blk->offset > offset) {
              SCLogDebug("gap, want data at offset %"PRIu64", " 
                      "got data at %"PRIu64". GAP of size %"PRIu64,
                      offset, blk->offset, blk->offset - offset);
              *data = NULL; 
              *data_len = blk->offset - offset;
           }

and then, the data offset is adjusted as per some gap handling logic.

This is incorrect because the point of GetBlock fn is to get the block containing a given offset. Entire tree should have been searched for the given offset instead of returning the first block greater than equal to the given offset.
Note that if a block has offset equal to the given offset, it is perfect. It is incorrect in the other case i.e. the block offset is greater than the given offset.

Actions

Also available in: Atom PDF