git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Thu, 21 Nov 2019 13:47:04 +0000 (14:47 +0100)
committer	Victor Julien <victor@inliniac.net>
	Fri, 13 Dec 2019 12:13:28 +0000 (13:13 +0100)
commit	9f0294fadca3dcc18c919424242a41e01f3e8318
tree	02e4ebfcd1c78a1dce74d8429e5936003dd8e33d	tree
parent	9bcc1118e18076ac401d9fd47ee20e8fdc9837f3	commit \| diff

stream: fix SYN_SENT RST/FIN injection

RST injection during the SYN_SENT state could trick Suricata into marking
a session as CLOSED. The way this was done is: using invalid TSECR value
in RST+ACK packet. The ACK was needed to force Linux into considering the
TSECR value and compare it to the TSVAL from the SYN packet.

The second works only against Windows. The client would not use a TSVAL
but the RST packet would. Windows will reject this, but Suricata considered
the RST valid and triggered the CLOSED logic.

This patch addresses both. When the SYN packet used timestamp support
the timestamp of incoming packet is validated. Otherwise, packet responding
should not have a timestamp.

Bug #3286

Reported-by: Nicolas Adba