detect: inspect all packets in multi-layer tunneling

victorjulien · victorjulien · commit 15947f217366 · 2023-10-16T21:16:37.000+02:00
When the decoders encounter multiple layers of tunneling, multiple tunnel packets are created. These are then stored in ThreadVars::decode_pq, where they are processed after the current thread "slot" is done. However, due to a logic error, the tunnel packets after the first, where not called for the correct position in the packet pipeline. This would lead to these packets not going through the FlowWorker module, so skipping everything from flow tracking, detection and logging. This would only happen for single and workers, due to how the pipelines are constructed. The "slot" holding the decoder, would contain 2 packets in ThreadVars::decode_pq. Then it would call the pipeline on the first packet with the next slot of the pipeline through a indirect call to TmThreadsSlotVarRun(), so it would be called for the FlowWorker. However when that first (the most inner) packet was done, the call to TmThreadsSlotVarRun() would again service the ThreadVars::decode_pq and process it, again moving the slot pointer forward, so past the FlowWorker. This patch addresses the issue by making sure only a "decode" thread slot will service the ThreadVars::decode_pq, thus never moving the slot past the FlowWorker. Bug: OISF#6402.
diff --git a/src/tm-threads.c b/src/tm-threads.c
@@ -142,9 +142,11 @@ TmEcode TmThreadsSlotVarRun(ThreadVars *tv, Packet *p, TmSlot *slot)
             TmThreadsSlotProcessPktFail(tv, s, NULL);
             return TM_ECODE_FAILED;
         }
-
-        if (TmThreadsProcessDecodePseudoPackets(tv, &tv->decode_pq, s->slot_next) != TM_ECODE_OK) {
-            return TM_ECODE_FAILED;
+        if (s->tm_flags & TM_FLAG_DECODE_TM) {
+            if (TmThreadsProcessDecodePseudoPackets(tv, &tv->decode_pq, s->slot_next) !=
+                    TM_ECODE_OK) {
+                return TM_ECODE_FAILED;
+            }
         }
     }
 
@@ -661,6 +663,7 @@ void TmSlotSetFuncAppend(ThreadVars *tv, TmModule *tm, const void *data)
     /* we don't have to check for the return value "-1".  We wouldn't have
      * received a TM as arg, if it didn't exist */
     slot->tm_id = TmModuleGetIDForTM(tm);
+    slot->tm_flags |= tm->flags;
 
     tv->tmm_flags |= tm->flags;
     tv->cap_flags |= tm->cap_flags;
diff --git a/src/tm-threads.h b/src/tm-threads.h
@@ -63,14 +63,18 @@ typedef struct TmSlot_ {
 
     SC_ATOMIC_DECLARE(void *, slot_data);
 
+    /** copy of the TmModule::flags */
+    uint8_t tm_flags;
+
+    /* store the thread module id */
+    int tm_id;
+
     TmEcode (*SlotThreadInit)(ThreadVars *, const void *, void **);
     void (*SlotThreadExitPrintStats)(ThreadVars *, void *);
     TmEcode (*SlotThreadDeinit)(ThreadVars *, void *);
 
     /* data storage */
     const void *slot_initdata;
-    /* store the thread module id */
-    int tm_id;
 
 } TmSlot;
 
