From 5ce39e147d681ba9deeb0172d190562eef223ffe Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 20 Aug 2015 14:48:53 -0700 Subject: [PATCH] clean up sniffer packet overlap issue --- src/sniffer.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/src/sniffer.c b/src/sniffer.c index 938eea225..25a46ef09 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2429,7 +2429,10 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session, /* adjust to expected, remove duplicate */ *sslFrame += overlap; *sslBytes -= overlap; - + + /* The following conditional block is duplicated below. It is the + * same action but for a different setup case. If changing this + * block be sure to also update the block below. */ if (reassemblyList) { word32 newEnd = *expected + *sslBytes; @@ -2461,6 +2464,30 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session, else if (tcpInfo->fin) return AddFinCapture(session, real); } + else { + /* The following conditional block is duplicated above. It is the + * same action but for a different setup case. If changing this + * block be sure to also update the block above. */ + if (reassemblyList) { + word32 newEnd = *expected + *sslBytes; + + if (newEnd > reassemblyList->begin) { + Trace(OVERLAP_REASSEMBLY_BEGIN_STR); + + /* remove bytes already on reassembly list */ + *sslBytes -= newEnd - reassemblyList->begin; + } + if (newEnd > reassemblyList->end) { + Trace(OVERLAP_REASSEMBLY_END_STR); + + /* may be past reassembly list end (could have more on list) + so try to add what's past the front->end */ + AddToReassembly(session->flags.side, reassemblyList->end +1, + *sslFrame + reassemblyList->end - *expected + 1, + newEnd - reassemblyList->end, session, error); + } + } + } /* got expected sequence */ *expected += *sslBytes; if (tcpInfo->fin)