From 0ada1d561f319ac86f6acdcd9ce890fd646ab54f Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 13 Oct 2023 13:47:05 +0200 Subject: [PATCH] detect: inspect all packets in multi-layer tunneling When the decoders encounter multiple layers of tunneling, multiple tunnel packets are created. These are then stored in ThreadVars::decode_pq, where they are processed after the current thread "slot" is done. However, due to a logic error, the tunnel packets after the first, where not called for the correct position in the packet pipeline. This would lead to these packets not going through the FlowWorker module, so skipping everything from flow tracking, detection and logging. This would only happen for single and workers, due to how the pipelines are constructed. The "slot" holding the decoder, would contain 2 packets in ThreadVars::decode_pq. Then it would call the pipeline on the first packet with the next slot of the pipeline through a indirect call to TmThreadsSlotVarRun(), so it would be called for the FlowWorker. However when that first (the most inner) packet was done, the call to TmThreadsSlotVarRun() would again service the ThreadVars::decode_pq and process it, again moving the slot pointer forward, so past the FlowWorker. This patch addresses the issue by making sure only a "decode" thread slot will service the ThreadVars::decode_pq, thus never moving the slot past the FlowWorker. Bug: #6402. (cherry picked from commit 15947f21736662ca5997dbc075b4ec9a7f5a304d) --- src/tm-threads.c | 9 ++++++--- src/tm-threads.h | 8 ++++++-- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/tm-threads.c b/src/tm-threads.c index f0b2f823b253..6cc111a0faae 100644 --- a/src/tm-threads.c +++ b/src/tm-threads.c @@ -140,9 +140,11 @@ TmEcode TmThreadsSlotVarRun(ThreadVars *tv, Packet *p, TmSlot *slot) TmThreadsSlotProcessPktFail(tv, s, NULL); return TM_ECODE_FAILED; } - - if (TmThreadsProcessDecodePseudoPackets(tv, &tv->decode_pq, s->slot_next) != TM_ECODE_OK) { - return TM_ECODE_FAILED; + if (s->tm_flags & TM_FLAG_DECODE_TM) { + if (TmThreadsProcessDecodePseudoPackets(tv, &tv->decode_pq, s->slot_next) != + TM_ECODE_OK) { + return TM_ECODE_FAILED; + } } } @@ -683,6 +685,7 @@ void TmSlotSetFuncAppend(ThreadVars *tv, TmModule *tm, const void *data) /* we don't have to check for the return value "-1". We wouldn't have * received a TM as arg, if it didn't exist */ slot->tm_id = TmModuleGetIDForTM(tm); + slot->tm_flags |= tm->flags; tv->tmm_flags |= tm->flags; tv->cap_flags |= tm->cap_flags; diff --git a/src/tm-threads.h b/src/tm-threads.h index d68c9230a372..3f901e9d26a9 100644 --- a/src/tm-threads.h +++ b/src/tm-threads.h @@ -62,14 +62,18 @@ typedef struct TmSlot_ { SC_ATOMIC_DECLARE(void *, slot_data); + /** copy of the TmModule::flags */ + uint8_t tm_flags; + + /* store the thread module id */ + int tm_id; + TmEcode (*SlotThreadInit)(ThreadVars *, const void *, void **); void (*SlotThreadExitPrintStats)(ThreadVars *, void *); TmEcode (*SlotThreadDeinit)(ThreadVars *, void *); /* data storage */ const void *slot_initdata; - /* store the thread module id */ - int tm_id; } TmSlot;