From: Victor Julien <vjulien@oisf.net>
Date: Fri, 3 Mar 2023 12:30:14 +0000 (+0100)
Subject: stream: improve SYN and SYN/ACK handling with ECN/CWR flags
X-Git-Tag: suricata-7.0.0-rc2~480
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d1d28854462c2a9442e42268bf32fd71ae50e5f;p=thirdparty%2Fsuricata.git

stream: improve SYN and SYN/ACK handling with ECN/CWR flags
---

diff --git a/src/flow-hash.c b/src/flow-hash.c
index a4424a3bc6..351494bb97 100644
--- a/src/flow-hash.c
+++ b/src/flow-hash.c
@@ -510,7 +510,8 @@ static inline int FlowCreateCheck(const Packet *p, const bool emerg)
      * that is not a TCP SYN packet. */
     if (emerg) {
         if (PKT_IS_TCP(p)) {
-            if (p->tcph->th_flags == TH_SYN || !stream_config.midstream) {
+            if (((p->tcph->th_flags & (TH_SYN | TH_ACK | TH_RST | TH_FIN)) == TH_SYN) ||
+                    !stream_config.midstream) {
                 ;
             } else {
                 return 0;
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 20b92e7845..0524f8c618 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -5493,13 +5493,13 @@ static inline int StreamTcpValidateChecksum(Packet *p)
  *  \retval bool true/false */
 static int TcpSessionPacketIsStreamStarter(const Packet *p)
 {
-    if (p->tcph->th_flags == TH_SYN) {
+    if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == TH_SYN) {
         SCLogDebug("packet %"PRIu64" is a stream starter: %02x", p->pcap_cnt, p->tcph->th_flags);
         return 1;
     }
 
     if (stream_config.midstream || stream_config.async_oneside) {
-        if (p->tcph->th_flags == (TH_SYN|TH_ACK)) {
+        if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) {
             SCLogDebug("packet %"PRIu64" is a midstream stream starter: %02x", p->pcap_cnt, p->tcph->th_flags);
             return 1;
         }
@@ -5615,12 +5615,12 @@ static int TcpSessionReuseDoneEnoughSynAck(const Packet *p, const Flow *f, const
  *  \retval bool true if ssn can be reused, false if not */
 static int TcpSessionReuseDoneEnough(const Packet *p, const Flow *f, const TcpSession *ssn)
 {
-    if (p->tcph->th_flags == TH_SYN) {
+    if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == TH_SYN) {
         return TcpSessionReuseDoneEnoughSyn(p, f, ssn);
     }
 
     if (stream_config.midstream || stream_config.async_oneside) {
-        if (p->tcph->th_flags == (TH_SYN|TH_ACK)) {
+        if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) {
             return TcpSessionReuseDoneEnoughSynAck(p, f, ssn);
         }
     }