stream/midstream: fix double flow reverse case

In the case of midstream SYN/ACK pickup, we reverse the flow based on
the SYN/ACK. If we then later get traffic that appears to be in the
reverse direction based on the app-layer, we would reverse it again.
This isn't correct. When we have the SYN/ACK we know the flow's real
direction.

(cherry picked from commit fea374626ac9d0dfe69df24958596867f9e42734)

diff --git a/src/app-layer.c b/src/app-layer.c
index a80606b57239b9bed98f107ac79f3944076e8c78..3b9465d67e0261bf0dfbee7e5034000e76cd8d49 100644 (file)
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -361,7 +361,9 @@ static int TCPProtoDetect(ThreadVars *tv,
         /* if protocol detection indicated that we need to reverse
          * the direction of the flow, do it now. We flip the flow,
          * packet and the direction flags */
-        if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
+        if (reverse_flow &&
+                ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
+                        STREAMTCP_FLAG_MIDSTREAM)) {
             /* but only if we didn't already detect it on the other side. */
             if (*alproto_otherdir == ALPROTO_UNKNOWN) {
                 SCLogDebug("reversing flow after proto detect told us so");