git.ipfire.org Git - people/ms/suricata.git/commit

]> git.ipfire.org Git - people/ms/suricata.git/commit

projects / people / ms / suricata.git / commit

author	Eric Leblond <el@stamus-networks.com>
	Fri, 28 May 2021 10:19:38 +0000 (12:19 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 21 Jun 2021 19:54:36 +0000 (21:54 +0200)
commit	556570f7dd7f21f11cffda5ebcb72738a29cbb90
tree	472dd29e8abed09be4b387190151f3e6e713579d	tree
parent	0d81173d6e912f4be9e3e8f7593d779d8ffed52f	commit \| diff

stream/tcp: don't reject on bad ack

Not using a packet for the streaming analysis when a non zero
ACK value and ACK bit was unset was leading to evasion as it was
possible to start a session with a SYN packet with a non zero ACK
value to see the full TCP stream to escape all stream and application
layer detection.

This addresses CVE-2021-35063.

Fixes: fa692df37 ("stream: reject broken ACK packets")
Ticket: #4504.

src/stream-tcp.c

diff | blob | blame | history

Michael's tree of suricata

RSS Atom