Pull request #4004: stream_tcp: examine whether a segment plugs a hole before blockin...

Merge in SNORT/snort3 from ~JALIIMRA/snort3:seglist_window to master

Squashed commit of the following:

commit 872c4d9796db0b8099005542889da60d353fc8af
Author: Juweria Ali Imran <jaliimra@cisco.com>
Date:   Mon Sep 11 11:56:03 2023 -0400

    stream_tcp: examine whether a segment plugs a hole before blocking due to exceeding queue_limit

diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc
index 13d94b5fdfe5ea454fbb14dfd7c64e9747bbfeab..043426263c08e20ff217f8c80292ce5c4909e7e5 100644 (file)
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -972,6 +972,26 @@ void TcpReassembler::fallback(TcpStreamTracker& tracker, bool server_side)
     }
 }
 
+bool TcpReassembler::segment_within_seglist_window(TcpReassemblerState& trs, TcpSegmentDescriptor& tsd)
+{
+    uint32_t start, end = (trs.sos.seglist.tail->i_seq + trs.sos.seglist.tail->i_len);
+
+    if ( SEQ_LT(trs.sos.seglist_base_seq, trs.sos.seglist.head->i_seq) )
+        start = trs.sos.seglist_base_seq;
+    else
+        start = trs.sos.seglist.head->i_seq;
+
+    // Left side
+    if ( SEQ_LEQ(tsd.get_end_seq(), start) )
+        return false;
+
+    // Right side
+    if ( SEQ_GEQ(tsd.get_seq(), end) )
+        return false;
+
+    return true;
+}
+
 void TcpReassembler::check_first_segment_hole(TcpReassemblerState& trs)
 {
     if ( SEQ_LT(trs.sos.seglist_base_seq, trs.sos.seglist.head->c_seq)

diff --git a/src/stream/tcp/tcp_reassembler.h b/src/stream/tcp/tcp_reassembler.h
index b83f28d2ce50799b42e7e63b0ec4136ec0d64bf7..4177953a1e9805da911da5bf0a05486def9717b0 100644 (file)
--- a/src/stream/tcp/tcp_reassembler.h
+++ b/src/stream/tcp/tcp_reassembler.h
@@ -52,6 +52,7 @@ public:
     virtual int update_alert(TcpReassemblerState&, uint32_t gid, uint32_t sid,
         uint32_t event_id, uint32_t event_second);
     virtual void purge_alerts(TcpReassemblerState&);
+    virtual bool segment_within_seglist_window(TcpReassemblerState&, TcpSegmentDescriptor&);
 
     uint32_t perform_partial_flush(TcpReassemblerState&, snort::Flow*, snort::Packet*&);
 

diff --git a/src/stream/tcp/tcp_reassemblers.h b/src/stream/tcp/tcp_reassemblers.h
index 0dda94eefe23bdf97a91d2c99d5d96dc2f15d15d..927e05753d7ebc4ad34b66f02ef25706b1966443 100644 (file)
--- a/src/stream/tcp/tcp_reassemblers.h
+++ b/src/stream/tcp/tcp_reassemblers.h
@@ -124,6 +124,9 @@ public:
     void set_norm_mode_test()
     { trs.sos.tcp_ips_data = NORM_MODE_TEST; }
 
+    bool segment_within_seglist_window(TcpSegmentDescriptor& tsd)
+    { return reassembler->segment_within_seglist_window(trs, tsd); }
+
     uint32_t perform_partial_flush(snort::Flow* flow, snort::Packet*& p)
     { return reassembler->perform_partial_flush(trs, flow, p); }
 

diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index 43b4f238c5f56a44eda9de3a1ee838d9b7d59d7c..670bfc153fe1577f55bfd1ea7118a33835d425bc 100644 (file)
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -346,6 +346,9 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd)
                     (const_cast<tcp::TCPHdr*>(tsd.get_pkt()->ptrs.tcph))->set_seq(listener->max_queue_seq_nxt);
             }
 
+            if( listener->reassembler.segment_within_seglist_window(tsd) )
+                return false;
+
             if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON)
             {
                 tsd.get_pkt()->active->set_drop_reason("stream");
@@ -378,6 +381,9 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd)
                     (const_cast<tcp::TCPHdr*>(tsd.get_pkt()->ptrs.tcph))->set_seq(listener->max_queue_seq_nxt);
             }
 
+            if( listener->reassembler.segment_within_seglist_window(tsd) )
+                return false;
+
             if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON)
             {
                 tsd.get_pkt()->active->set_drop_reason("stream");