git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Fri, 20 Sep 2024 07:54:57 +0000 (09:54 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 25 Sep 2024 15:45:18 +0000 (17:45 +0200)
commit	4f59fd94a65c6882f614fed0e21dcb8f37009d71
tree	4d93592ead126b32854a7faf450f5d0887dc9809	tree
parent	04ef7b6174076ec36e3127f573eb3f3576eb15a2	commit \| diff

stream: improve 3whs completed by ACK with data

If the ACK packet completing the 3whs is received, the stream engine will
transition to "established". However, the packet itself will not be tagged
as "established". This will only happen for the next packet after the 3whs,
so that `flow:established` only matches after the 3whs.

It is possible that the ACK packet completing the 3whs was lost. Since the
ACK packets themselves are not acknowledged, there will be no retransmission
of them. Instead, the next packet can have the expected ACK flag as well as
data.

This case was mishandled in a subtle way. The stream engine state transition
was done correctly, as well as the data handling and app-layer updates.
However, the packet itself was not tagged as "established", which meant
that `flow:established` would not yet match.

This patch detects this case and tags the packet as established if ACK
with data is received that completes the 3whs.

Bug: #7264.
(cherry picked from commit 45eb7e48817f0435040c3efc15e66383d78ed71f)