[IPFIX] Fix parsing when using buffered (TCP) input

When using a TCP input, packets' data are buffered before logstash tries do decode them. Therefore, our decode() function will receive chunks of "random" sizes, that might contain 1.4 PDU, 3 PDUs, etc. If we blindly consume the whole payload, the next call will most likely parse the middle of a PDU, which will result in an error. This commit makes sure each call consumes the data of 1 PDU, even if there are more trailing data.
logstash-plugins · Jul 12, 2021 · bf3f262 · bf3f262
1 parent e7d1119
commit bf3f262
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/logstash/codecs/netflow.rb b/lib/logstash/codecs/netflow.rb
@@ -101,6 +101,11 @@ def decode(payload, metadata = nil, &block)
     elsif header.version == 10
 #     BinData::trace_reading do
       flowset = IpfixPDU.read(payload)
+      if flowset.pdu_length > payload.length()
+        # When using TCP, we might receive 1.5 PDU, due to bufferization
+        # If so, we consume just 1 PDU and leave the rest for later calls
+        payload = payload.slice!(flowset.pdu_length..payload.length()-1)
+      end
       flowset.records.each do |record|
         decode_ipfix(flowset, record).each { |event| yield(event) }
       end