Pull request #4268: stream_tcp: drop packet with invalid sequence number if NAP polic...

Merge in SNORT/snort3 from ~JALIIMRA/snort3:invalid_seq_ack to master

Squashed commit of the following:

commit 58ca09ddd93559039948ecc86a6af1ceac868200
Author: Juweria Ali Imran <jaliimra@cisco.com>
Date:   Tue Apr 2 08:49:01 2024 -0400

    stream_tcp: drop packet with invalid sequence number if NAP policy is inline and fix sequence number comparisons

diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc
index 7a72fa28143f418f65fce3e3737e8606f2f7d827..da8e9ba15830674844c355e44dc9625b1dff0f2b 100644 (file)
--- a/src/stream/tcp/tcp_normalizer.cc
+++ b/src/stream/tcp/tcp_normalizer.cc
@@ -48,9 +48,10 @@ TcpNormalizer::NormStatus TcpNormalizer::apply_normalizations(
         // drop packet if sequence num is invalid
         if ( !tns.tracker->is_segment_seq_valid(tsd) )
         {
+            bool inline_mode = tsd.is_nap_policy_inline();
             tcpStats.invalid_seq_num++;
-            log_drop_reason(tns, tsd, false, "normalizer", "Normalizer: Sequence number is invalid\n");
-            trim_win_payload(tns, tsd);
+            log_drop_reason(tns, tsd, inline_mode, "normalizer", "Normalizer: Sequence number is invalid\n");
+            trim_win_payload(tns, tsd, 0, inline_mode);
             return NORM_BAD_SEQ;
         }
 

diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc
index f0fdd58b1b0988b4d95c70ba742ddca3381e7c70..726cf6cd040bfbca257ebaf0d0557a1f47d1742e 100644 (file)
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -1427,7 +1427,7 @@ void TcpReassembler::insert_segment_in_seglist(
     if ( trs.sos.keep_segment )
     {
         if ( !trs.sos.left and trs.sos.right and
-            paf_initialized(&trs.paf_state) and trs.paf_state.pos > tsd.get_seq() )
+            paf_initialized(&trs.paf_state) and SEQ_GT(trs.paf_state.pos, tsd.get_seq()) )
         {
             return;
         }

diff --git a/src/stream/tcp/tcp_segment_node.h b/src/stream/tcp/tcp_segment_node.h
index d3e76835dabb5c246f3c6bda94121f9ff9b42dff..3e58f0eacc94d0dd6fd386750e2fd27dbafb921d 100644 (file)
--- a/src/stream/tcp/tcp_segment_node.h
+++ b/src/stream/tcp/tcp_segment_node.h
@@ -56,9 +56,9 @@ public:
     bool is_packet_missing(uint32_t to_seq)
     {
         if ( next )
-            return (i_seq + i_len) != next->i_seq;
+            return !(SEQ_EQ((i_seq + i_len), next->i_seq));
         else
-            return (c_seq + c_len) < to_seq;
+            return SEQ_LT((c_seq + c_len), to_seq);
     }
 
     void update_ressembly_lengths(uint16_t bytes)

diff --git a/src/stream/tcp/tcp_stream_tracker.cc b/src/stream/tcp/tcp_stream_tracker.cc
index f2cc11a2d5af10aa7f6c58052d3113465f098692..e982a2c2990bbb4a8a853350e0b8538c09365f2f 100644 (file)
--- a/src/stream/tcp/tcp_stream_tracker.cc
+++ b/src/stream/tcp/tcp_stream_tracker.cc
@@ -484,7 +484,7 @@ void TcpStreamTracker::update_tracker_ack_recv(TcpSegmentDescriptor& tsd)
     if ( SEQ_GT(tsd.get_ack(), snd_una) )
     {
         snd_una = tsd.get_ack();
-        if ( snd_nxt < snd_una )
+        if ( SEQ_LT(snd_nxt, snd_una) )
             snd_nxt = snd_una;
     }
     if ( !tsd.get_len() and snd_wnd == 0