Add ACK validation to Reset/RST validation code.

diff --git a/src/decode-events.h b/src/decode-events.h
index 96810e324126b4d5ad871b8636be384f8dacf5e9..69ea27d7d2708af2ba0f2c9d8ca8305ec8c3c249 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -171,6 +171,7 @@ enum {
     STREAM_TIMEWAIT_INVALID_ACK,
     STREAM_PKT_INVALID_TIMESTAMP,
     STREAM_PKT_INVALID_ACK,
+    STREAM_RST_INVALID_ACK,
 
     /* should always be last! */
     DECODE_EVENT_MAX,

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 540746ad5ab78469c76386efcace172fdee142dd..1cd9e6aa48f84250c55ee1758302f510bdbe399b 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -3399,11 +3399,24 @@ static int ValidReset(TcpSession *ssn, Packet *p)
             StreamTcpSetOSPolicy(&ssn->server, p);
 
         os_policy = ssn->server.os_policy;
+
+        if (StreamTcpValidateAck(&ssn->server, p) == -1) {
+            SCLogDebug("ssn %p: rejecting because of invalid ack value", ssn);
+            StreamTcpSetEvent(p, STREAM_RST_INVALID_ACK);
+            SCReturnInt(-1);
+        }
+
     } else {
         if (ssn->client.os_policy == 0)
             StreamTcpSetOSPolicy(&ssn->client, p);
 
         os_policy = ssn->client.os_policy;
+
+        if (StreamTcpValidateAck(&ssn->client, p) == -1) {
+            SCLogDebug("ssn %p: rejecting because of invalid ack value", ssn);
+            StreamTcpSetEvent(p, STREAM_RST_INVALID_ACK);
+            SCReturnInt(-1);
+        }
     }
 
     switch (os_policy) {