From: Masud Hasan (mashasan) Date: Wed, 28 Apr 2021 15:25:56 +0000 (+0000) Subject: Merge pull request #2844 in SNORT/snort3 from ~MASHASAN/snort3:close_stream to master X-Git-Tag: 3.1.5.0~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4dc6cb82d9d4d7e37e6a3656be34e92587f03a9c;p=thirdparty%2Fsnort3.git Merge pull request #2844 in SNORT/snort3 from ~MASHASAN/snort3:close_stream to master Squashed commit of the following: commit 2eaee2752af6e487c4ccf59940fd2a0ac6875c75 Author: Masud Hasan Date: Fri Apr 23 08:58:09 2021 -0400 stream_tcp: Using window base for reset validation commit 1526f0d93ba1d1ce04b40b46faf7304b0eb6b307 Author: Masud Hasan Date: Tue Apr 13 18:36:58 2021 -0400 stream_tcp: Deleting session when both talker and listener are closed --- diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc index 347c9b0a0..cd17146c4 100644 --- a/src/stream/tcp/tcp_normalizer.cc +++ b/src/stream/tcp/tcp_normalizer.cc @@ -252,10 +252,9 @@ bool TcpNormalizer::validate_rst_end_seq_geq( bool TcpNormalizer::validate_rst_seq_eq( TcpNormalizerState& tns, TcpSegmentDescriptor& tsd) { - uint32_t expected_seq = tns.tracker->rcv_nxt + tns.tracker->get_fin_seq_adjust(); + uint32_t expected_seq = tns.tracker->r_win_base + tns.tracker->get_fin_seq_adjust(); - // FIXIT-M check for rcv_nxt == 0 is hack for uninitialized rcv_nxt - if ( ( tns.tracker->rcv_nxt == 0 ) || SEQ_EQ(tsd.get_seq(), expected_seq) ) + if ( SEQ_EQ(tsd.get_seq(), expected_seq) ) return true; return false; diff --git a/src/stream/tcp/tcp_state_closed.cc b/src/stream/tcp/tcp_state_closed.cc index be3b9dd80..3aeb2f657 100644 --- a/src/stream/tcp/tcp_state_closed.cc +++ b/src/stream/tcp/tcp_state_closed.cc @@ -135,7 +135,8 @@ bool TcpStateClosed::do_post_sm_packet_actions(TcpSegmentDescriptor& tsd, TcpStr TcpStreamTracker::TcpState talker_state = trk.session->get_talker_state(tsd); Flow* flow = tsd.get_flow(); - if ( ( talker_state == TcpStreamTracker::TCP_TIME_WAIT ) || !flow->two_way_traffic() ) + if ( ( talker_state == TcpStreamTracker::TCP_TIME_WAIT or + talker_state == TcpStreamTracker::TCP_CLOSED ) or !flow->two_way_traffic() ) { // The last ACK is a part of the session. Delete the session after processing is // complete.