stream/midstream: fix double flow reverse case

In the case of midstream SYN/ACK pickup, we reverse the flow based on
the SYN/ACK. If we then later get traffic that appears to be in the
reverse direction based on the app-layer, we would reverse it again.
This isn't correct. When we have the SYN/ACK we know the flow's real
direction.

diff --git a/src/app-layer.c b/src/app-layer.c
index 9cf276f2353e7e1007df8b918e34f612cc4125b6..bd1942e1278ef059254821facc01e74321e72124 100644 (file)
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -403,7 +403,9 @@ static int TCPProtoDetect(ThreadVars *tv,
         /* if protocol detection indicated that we need to reverse
          * the direction of the flow, do it now. We flip the flow,
          * packet and the direction flags */
-        if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
+        if (reverse_flow &&
+                ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
+                        STREAMTCP_FLAG_MIDSTREAM)) {
             /* but only if we didn't already detect it on the other side. */
             if (*alproto_otherdir == ALPROTO_UNKNOWN) {
                 SCLogDebug("reversing flow after proto detect told us so");