stream/tcp: fix fast open off by one

With data on SYN the sequence number used for the first data
was off by one, leading to the next segments to appear to come
after a one byte gap.

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 0c6e6dffdf1052f0b1c08c453752d6b7cd6c0149..44a8daf5adafedd3d049be2112bef3af46e3e06a 100644 (file)
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -642,6 +642,10 @@ int StreamTcpReassembleHandleSegmentHandleData(ThreadVars *tv, TcpReassemblyThre
     TCP_SEG_LEN(seg) = size;
     seg->seq = TCP_GET_SEQ(p);
 
+    /* HACK: for TFO SYN packets the seq for data starts at + 1 */
+    if (TCP_HAS_TFO(p) && p->payload_len && p->tcph->th_flags == TH_SYN)
+        seg->seq += 1;
+
     /* proto detection skipped, but now we do get data. Set event. */
     if (RB_EMPTY(&stream->seg_tree) &&
         stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED) {