Pull request #3488: netflow: fix v5 header time value

Merge in SNORT/snort3 from ~MMATIRKO/snort3:netflow_odds_and_ends to master

Squashed commit of the following:

commit 6cc63741d7f3cee1d0ce8feb449df868d8b9f947
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Tue Jun 28 14:38:57 2022 -0400

    netflow: fix v5 header time value

diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc
index 4ea6211857959bd72998b34c73270b89fabd7193..39a458c39f3319512aefce312c1b02f0c8e2b1b5 100644 (file)
--- a/src/service_inspectors/netflow/netflow.cc
+++ b/src/service_inspectors/netflow/netflow.cc
@@ -253,7 +253,7 @@ static bool version_9_record_update(const unsigned char* data, uint32_t unix_sec
 
             last_pkt_time = ntohl(*(const time_t*)data)/1000;
             // last_pkt_time (LAST_SWITCHED) is defined as the system uptime
-            // at which the flow was seen. If this is == to the current uptime
+            // at which the flow was seen. If this is >= to the current uptime
             // something has gone wrong - use the NetFlow header unix time instead.
             if (last_pkt_time >= sys_uptime)
                 record.last_pkt_second = unix_secs;
@@ -653,6 +653,13 @@ static bool decode_netflow_v5(const unsigned char* data, uint16_t size,
         if ( first_packet > MAX_TIME or last_packet > MAX_TIME or first_packet > last_packet )
             return false;
 
+        // also invalid flow time values, but we can recover from these malformed times
+        if (ntohl(precord->flow_first)/1000 >= header.sys_uptime)
+            first_packet = header.unix_secs;
+
+        if (ntohl(precord->flow_last)/1000 >= header.sys_uptime)
+            last_packet = header.unix_secs;
+
         NetFlowSessionRecord record = {};
 
         // Invalid source IP address provided