]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
flow: only move lastts forward
authorVictor Julien <victor@inliniac.net>
Mon, 23 Dec 2019 15:09:51 +0000 (16:09 +0100)
committerVictor Julien <victor@inliniac.net>
Thu, 6 Aug 2020 09:43:46 +0000 (11:43 +0200)
Pcaps with timestamps jumping around could confuse flow timeout
handling otherwise.

src/flow.c

index a0e637ed94d49fa0abc6df9ce554e05c3dd3779c..49dc4a2e373041900a753b4d22068a9653a06026 100644 (file)
@@ -440,7 +440,8 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
     if (state != FLOW_STATE_CAPTURE_BYPASSED) {
 #endif
         /* update the last seen timestamp of this flow */
-        COPY_TIMESTAMP(&p->ts, &f->lastts);
+        if (timercmp(&p->ts, &f->lastts, >))
+            COPY_TIMESTAMP(&p->ts, &f->lastts);
 #ifdef CAPTURE_OFFLOAD
     } else {
         /* still seeing packet, we downgrade to local bypass */