From: Juweria Ali Imran (jaliimra) Date: Tue, 19 Sep 2023 15:16:17 +0000 (+0000) Subject: Pull request #4004: stream_tcp: examine whether a segment plugs a hole before blockin... X-Git-Tag: 3.1.71.0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19422d78f08569c119122672883f7fbe6db84932;p=thirdparty%2Fsnort3.git Pull request #4004: stream_tcp: examine whether a segment plugs a hole before blocking due to exceeding queue_limit Merge in SNORT/snort3 from ~JALIIMRA/snort3:seglist_window to master Squashed commit of the following: commit 872c4d9796db0b8099005542889da60d353fc8af Author: Juweria Ali Imran Date: Mon Sep 11 11:56:03 2023 -0400 stream_tcp: examine whether a segment plugs a hole before blocking due to exceeding queue_limit --- diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index 13d94b5fd..043426263 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -972,6 +972,26 @@ void TcpReassembler::fallback(TcpStreamTracker& tracker, bool server_side) } } +bool TcpReassembler::segment_within_seglist_window(TcpReassemblerState& trs, TcpSegmentDescriptor& tsd) +{ + uint32_t start, end = (trs.sos.seglist.tail->i_seq + trs.sos.seglist.tail->i_len); + + if ( SEQ_LT(trs.sos.seglist_base_seq, trs.sos.seglist.head->i_seq) ) + start = trs.sos.seglist_base_seq; + else + start = trs.sos.seglist.head->i_seq; + + // Left side + if ( SEQ_LEQ(tsd.get_end_seq(), start) ) + return false; + + // Right side + if ( SEQ_GEQ(tsd.get_seq(), end) ) + return false; + + return true; +} + void TcpReassembler::check_first_segment_hole(TcpReassemblerState& trs) { if ( SEQ_LT(trs.sos.seglist_base_seq, trs.sos.seglist.head->c_seq) diff --git a/src/stream/tcp/tcp_reassembler.h b/src/stream/tcp/tcp_reassembler.h index b83f28d2c..4177953a1 100644 --- a/src/stream/tcp/tcp_reassembler.h +++ b/src/stream/tcp/tcp_reassembler.h @@ -52,6 +52,7 @@ public: virtual int update_alert(TcpReassemblerState&, uint32_t gid, uint32_t sid, uint32_t event_id, uint32_t event_second); virtual void purge_alerts(TcpReassemblerState&); + virtual bool segment_within_seglist_window(TcpReassemblerState&, TcpSegmentDescriptor&); uint32_t perform_partial_flush(TcpReassemblerState&, snort::Flow*, snort::Packet*&); diff --git a/src/stream/tcp/tcp_reassemblers.h b/src/stream/tcp/tcp_reassemblers.h index 0dda94eef..927e05753 100644 --- a/src/stream/tcp/tcp_reassemblers.h +++ b/src/stream/tcp/tcp_reassemblers.h @@ -124,6 +124,9 @@ public: void set_norm_mode_test() { trs.sos.tcp_ips_data = NORM_MODE_TEST; } + bool segment_within_seglist_window(TcpSegmentDescriptor& tsd) + { return reassembler->segment_within_seglist_window(trs, tsd); } + uint32_t perform_partial_flush(snort::Flow* flow, snort::Packet*& p) { return reassembler->perform_partial_flush(trs, flow, p); } diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index 43b4f238c..670bfc153 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -346,6 +346,9 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd) (const_cast(tsd.get_pkt()->ptrs.tcph))->set_seq(listener->max_queue_seq_nxt); } + if( listener->reassembler.segment_within_seglist_window(tsd) ) + return false; + if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON) { tsd.get_pkt()->active->set_drop_reason("stream"); @@ -378,6 +381,9 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd) (const_cast(tsd.get_pkt()->ptrs.tcph))->set_seq(listener->max_queue_seq_nxt); } + if( listener->reassembler.segment_within_seglist_window(tsd) ) + return false; + if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON) { tsd.get_pkt()->active->set_drop_reason("stream");