Actions
Bug #7252
closedstream/reassemble: GetBlock implies gap without searching the entire tree for block
Affected Versions:
Effort:
Difficulty:
Label:
Description
GetBlock fn has this logic:
for ( ; blk != NULL; blk = SBB_RB_NEXT(blk)) {
if (blk->offset >= offset) {
return blk;
} else if ((blk->offset + blk->len) > offset) {
return blk;
}
}
return NULL;
This means that the moment a block with an offset greater than the asked offset was found, it was returned.
In the caller, therefore, the following is done:
/* block past out offset */
else if (blk->offset > offset) {
SCLogDebug("gap, want data at offset %"PRIu64", "
"got data at %"PRIu64". GAP of size %"PRIu64,
offset, blk->offset, blk->offset - offset);
*data = NULL;
*data_len = blk->offset - offset;
}
and then, the data offset is adjusted as per some gap handling logic.
This is incorrect because the point of GetBlock fn is to get the block containing a given offset. Entire tree should have been searched for the given offset instead of returning the first block greater than equal to the given offset.
Note that if a block has offset equal to the given offset, it is perfect. It is incorrect in the other case i.e. the block offset is greater than the given offset.
Actions