From 6262df905d2333354339c9d339146a8d2abb5b3b Mon Sep 17 00:00:00 2001
From: Andy Wick <awick@purple.org>
Date: Wed, 10 Jan 2024 16:33:37 -0500
Subject: [PATCH] improve quic classification (#2592)

---
 CHANGELOG              | 1 +
 capture/parsers/quic.c | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 990e683962..9af66eb356 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -77,6 +77,7 @@ NOTICE: Create a parliament config file before upgrading (see https://arkime.com
   - #2553 fix rules range matching not working always
   - #2554 support fieldSet tcpflag rules
   - #2576 support different dlt for pcap-over-ip
+  - #2592 fix sometimes not identifying quic protocol correctly
 ## Cont3xt
   - #2121 new bulk UI and support for bulk queries
   - #2271 lots of keyboard shortcut improvements
diff --git a/capture/parsers/quic.c b/capture/parsers/quic.c
index d9419056ef..4f572b0e6c 100644
--- a/capture/parsers/quic.c
+++ b/capture/parsers/quic.c
@@ -403,7 +403,7 @@ LOCAL void quic_ietf_udp_classify(ArkimeSession_t *session, const uint8_t *data,
     // Source
     int slen = 0;
     BSB_IMPORT_u08(bsb, slen);
-    if (slen != 0)
+    if (slen > 16)
         return;
     BSB_IMPORT_skip(bsb, slen);
 
@@ -413,7 +413,7 @@ LOCAL void quic_ietf_udp_classify(ArkimeSession_t *session, const uint8_t *data,
 
     // Length
     uint32_t packet_len = quic_get_number(&bsb);
-    if (packet_len != BSB_REMAINING(bsb)) {
+    if (packet_len < 100 || packet_len > BSB_REMAINING(bsb)) {
         char ipStr[200];
         arkime_session_pretty_string(session, ipStr, sizeof(ipStr));
         LOG("Couldn't parse header packet len %u remaining %ld %s", packet_len, (long)BSB_REMAINING(bsb), ipStr);