stream gap handling - v5 #2660
stream gap handling - v5 #2660
Conversation
Allow app-layers to register that they can handle gaps. Instead of sending a "signal" on a gap, send the gap flag on the next segment, the app-layer "dispatcher" will check if the app-layer can handle gaps or not, and abort if they can't, otherwise the data along with a gap flag will be sent to the app-layer. The idea is that the parser can then make the decision on what to do with the gap.
On data check if the gap flag is set. If so, check if the data is at the start of frame. This is pretty easy with DNP3 as there is a start frame byte sequence.
On notification of a gap, reprobe the stream. If successful, clear any existing buffer and continue on.
|
This will need a rebase after the stream updates. On a gap, I would like to invoke the app-layer with a value of the number of skipped bytes. So protocols might be able to use to catch up. E.g. HTTP with a content-len field might see that the gap is in a file, but otherwise the HTTP tracking is unaffected. |
|
The gap invocation could perhaps just be a extra call to AppLayerHandleTCPData with data NULL, data_len set to the gap size and flags set to STREAM_GAP. |
Yeah, I was wanting to get all that info into the app-layer, with the new data to skip the extra call, and state tracking required, but that would change the API across all app layer. So perhaps the extra call, and then the app-layer having to set a gap flag for the next call is better. |
|
Closing. See #2696 |
Previous PR: #2619
Changes from last PR:
Requesting comments on this way of handling gaps in the app-layer. There are ifdef's of older code as I'm still using them for reference.. Hence this is just an RFC.
Protocols support gap handling:
There is one stream test case that is broken from these changes tho.
Prscript: