]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7b547c7)
tcp: fix 'broken ack' on flow timeout
authorVictor Julien <vjulien@oisf.net>
Mon, 27 May 2024 13:57:38 +0000 (15:57 +0200)
committerVictor Julien <victor@inliniac.net>
Sat, 31 Aug 2024 09:39:02 +0000 (11:39 +0200)
Don't set an ACK value if ACK flag is no longer set. This avoids a bogus
`pkt_broken_ack` event set.

Fixes: ebf465a11bff ("tcp: do not assign TCP flags to pseudopackets")
Ticket: #7158.
(cherry picked from commit a404fd26af64f60e8eaa86419a11393d7c4bfdda)

src/flow-timeout.c patch | blob | blame | history
src/stream-tcp.c patch | blob | blame | history

diff --git a/src/flow-timeout.c b/src/flow-timeout.c
index 6efa3827a72f20634d9807b458c5cd9d184c2df6..aaa38be27ac5cf82a098675e831c3a3e2f614a5c 100644 (file)
--- a/src/flow-timeout.c
+++ b/src/flow-timeout.c
@@ -223,7 +223,7 @@ static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p,
         p->tcph->th_dport = htons(f->dp);
 
         p->tcph->th_seq = htonl(ssn->client.next_seq);
-        p->tcph->th_ack = htonl(ssn->server.last_ack);
+        p->tcph->th_ack = 0;
 
         /* to client */
     } else {
@@ -231,7 +231,7 @@ static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p,
         p->tcph->th_dport = htons(f->sp);
 
         p->tcph->th_seq = htonl(ssn->server.next_seq);
-        p->tcph->th_ack = htonl(ssn->client.last_ack);
+        p->tcph->th_ack = 0;
     }
 
     if (FLOW_IS_IPV4(f)) {
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index d76a0593a0d29a2db7539543fa276958bb3653b7..158c41dd39edea045f1204ce28fd27fb5f4a60d8 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -5369,10 +5369,8 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
          * we care about reassembly here. */
         if (p->flags & PKT_PSEUDO_STREAM_END) {
             if (PKT_IS_TOCLIENT(p)) {
-                ssn->client.last_ack = TCP_GET_ACK(p);
                 StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->server, p);
             } else {
-                ssn->server.last_ack = TCP_GET_ACK(p);
                 StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->client, p);
             }
             /* straight to 'skip' as we already handled reassembly */
Mirror of https://github.com/OISF/suricata.git