stream/tcp: fix fast open off by one

With data on SYN the sequence number used for the first data
was off by one, leading to the next segments to appear to come
after a one byte gap.

(cherry picked from commit b85539b2aba4cc95a2773b71da44821cd225b50a)

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index baadd91b1d35d167da93c1edc6a2d93c3de7e7af..bd242b621f036c17cf5391526d208cba859b1d6f 100644 (file)
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -642,6 +642,10 @@ int StreamTcpReassembleHandleSegmentHandleData(ThreadVars *tv, TcpReassemblyThre
     TCP_SEG_LEN(seg) = size;
     seg->seq = TCP_GET_SEQ(p);
 
+    /* HACK: for TFO SYN packets the seq for data starts at + 1 */
+    if (TCP_HAS_TFO(p) && p->payload_len && p->tcph->th_flags == TH_SYN)
+        seg->seq += 1;
+
     /* proto detection skipped, but now we do get data. Set event. */
     if (RB_EMPTY(&stream->seg_tree) &&
         stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED) {