tcp: don't set event on empty SACK opt

TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless
an empty SACK is not uncommon.

Seen on an iOS device talking to an Apple server.

Bug #3254.

diff --git a/src/decode-tcp.c b/src/decode-tcp.c
index ce95ddce5d959b3470781cbc6bddbff3e07f4ab7..0d464bbe7b08cbfb78b31647bf7315a1b44a4a3c 100644 (file)
--- a/src/decode-tcp.c
+++ b/src/decode-tcp.c
@@ -138,9 +138,10 @@ static void DecodeTCPOptions(Packet *p, const uint8_t *pkt, uint16_t pktlen)
                     break;
                 case TCP_OPT_SACK:
                     SCLogDebug("SACK option, len %u", olen);
-                    if (olen < TCP_OPT_SACK_MIN_LEN ||
+                    if ((olen != 2) &&
+                           (olen < TCP_OPT_SACK_MIN_LEN ||
                             olen > TCP_OPT_SACK_MAX_LEN ||
-                            !((olen - 2) % 8 == 0))
+                            !((olen - 2) % 8 == 0)))
                     {
                         ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
                     } else {