[ipfire-2.x.git] / src / patches / suricata / suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch

From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 19 Nov 2021 17:17:47 +0000
Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval

For connections that use TCP timestamps for which the first SYN packet
does not reach the server, any replies to retransmitted SYNs will be
tropped.

This is happening in StateSynSentValidateTimestamp, where the timestamp
value in a SYN-ACK packet must match the one from the SYN packet.
However, since the server never received the first SYN packet, it will
respond with an updated timestamp from any of the following SYN packets.

The timestamp value inside suricata is not being updated at any time
which should happen. This patch fixes that problem.

This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/stream-tcp.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 1cff19fa5..af681760b 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
                     "ssn->client.last_ack %"PRIu32"", ssn,
                     ssn->client.isn, ssn->client.next_seq,
                     ssn->client.last_ack);
+        } else if (PKT_IS_TOSERVER(p)) {
+            /*
+	     * On retransmitted SYN packets, the timestamp value must be updated,
+	     * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
+	     * with an updated timestamp in StateSynSentValidateTimestamp.
+	     */
+            if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
+                uint32_t ts_val = TCP_GET_TSVAL(p);
+
+                // Check whether packets have been received in the correct order (only ever update)
+                if (ssn->client.last_ts < ts_val) {
+                    ssn->client.last_ts = ts_val;
+                    ssn->client.last_pkt_ts = p->ts.tv_sec;
+                }
+
+                SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
+            }
         }
 
         /** \todo check if it's correct or set event */
-- 
2.30.2
Commit	Line	Data
73d18835 MT	1	From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
	2	From: Michael Tremer <michael.tremer@ipfire.org>
	3	Date: Fri, 19 Nov 2021 17:17:47 +0000
	4	Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval
	5
	6	For connections that use TCP timestamps for which the first SYN packet
	7	does not reach the server, any replies to retransmitted SYNs will be
	8	tropped.
	9
	10	This is happening in StateSynSentValidateTimestamp, where the timestamp
	11	value in a SYN-ACK packet must match the one from the SYN packet.
	12	However, since the server never received the first SYN packet, it will
	13	respond with an updated timestamp from any of the following SYN packets.
	14
	15	The timestamp value inside suricata is not being updated at any time
	16	which should happen. This patch fixes that problem.
	17
	18	This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.
	19
	20	Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
	21	---
	22	src/stream-tcp.c \| 17 +++++++++++++++++
	23	1 file changed, 17 insertions(+)
	24
	25	diff --git a/src/stream-tcp.c b/src/stream-tcp.c
	26	index 1cff19fa5..af681760b 100644
	27	--- a/src/stream-tcp.c
	28	+++ b/src/stream-tcp.c
30f306a3	29	@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars tv, Packet p,
73d18835 MT	30	"ssn->client.last_ack %"PRIu32"", ssn,
	31	ssn->client.isn, ssn->client.next_seq,
	32	ssn->client.last_ack);
	33	+ } else if (PKT_IS_TOSERVER(p)) {
	34	+ /*
	35	+ * On retransmitted SYN packets, the timestamp value must be updated,
	36	+ * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
	37	+ * with an updated timestamp in StateSynSentValidateTimestamp.
	38	+ */
	39	+ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
	40	+ uint32_t ts_val = TCP_GET_TSVAL(p);
	41	+
	42	+ // Check whether packets have been received in the correct order (only ever update)
	43	+ if (ssn->client.last_ts < ts_val) {
	44	+ ssn->client.last_ts = ts_val;
	45	+ ssn->client.last_pkt_ts = p->ts.tv_sec;
	46	+ }
	47	+
	48	+ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
	49	+ }
	50	}
	51
	52	/** \todo check if it's correct or set event */
	53	--
	54	2.30.2
	55