From: Victor Julien <victor@inliniac.net>
Date: Fri, 18 Jan 2019 14:03:39 +0000 (+0100)
Subject: stream: fix false negative on bad RST
X-Git-Tag: suricata-4.0.7~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29164d95336a93436b774b8e565618fcd6f4e8db;p=thirdparty%2Fsuricata.git

stream: fix false negative on bad RST

If a bad RST was received the stream inspection would not happen
for that packet, but it would still move the 'raw progress' tracker
forward. Following good packets would then fail to detect anything
before the 'raw progress' position.

Bug #2770

Reported-by: Alexey Vishnyakov
---

diff --git a/src/detect.c b/src/detect.c
index abe759ed47..20767184c9 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1443,7 +1443,9 @@ end:
         }
 
         /* update inspected tracker for raw reassembly */
-        if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL) {
+        if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL &&
+            (p->flags & PKT_STREAM_EST))
+        {
             StreamReassembleRawUpdateProgress(pflow->protoctx, p,
                     det_ctx->raw_stream_progress);