From: Victor Julien <vjulien@oisf.net>
Date: Fri, 3 Mar 2023 12:30:14 +0000 (+0100)
Subject: stream: improve SYN and SYN/ACK handling with ECN/CWR flags
X-Git-Tag: suricata-6.0.11~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=516ddf4feca418baf17852cfc878837eab6e43a5;p=thirdparty%2Fsuricata.git

stream: improve SYN and SYN/ACK handling with ECN/CWR flags

(cherry picked from commit 0d1d28854462c2a9442e42268bf32fd71ae50e5f)
---

diff --git a/src/flow-hash.c b/src/flow-hash.c
index ca2205e078..32226db4ee 100644
--- a/src/flow-hash.c
+++ b/src/flow-hash.c
@@ -432,7 +432,8 @@ static inline int FlowCreateCheck(const Packet *p, const bool emerg)
      * that is not a TCP SYN packet. */
     if (emerg) {
         if (PKT_IS_TCP(p)) {
-            if (p->tcph->th_flags == TH_SYN || stream_config.midstream == FALSE) {
+            if (((p->tcph->th_flags & (TH_SYN | TH_ACK | TH_RST | TH_FIN)) == TH_SYN) ||
+                    !stream_config.midstream) {
                 ;
             } else {
                 return 0;
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 8c7f2e21f5..e1f9a895d4 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -5292,13 +5292,13 @@ static inline int StreamTcpValidateChecksum(Packet *p)
  *  \retval bool true/false */
 static int TcpSessionPacketIsStreamStarter(const Packet *p)
 {
-    if (p->tcph->th_flags == TH_SYN) {
+    if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == TH_SYN) {
         SCLogDebug("packet %"PRIu64" is a stream starter: %02x", p->pcap_cnt, p->tcph->th_flags);
         return 1;
     }
 
     if (stream_config.midstream == TRUE || stream_config.async_oneside == TRUE) {
-        if (p->tcph->th_flags == (TH_SYN|TH_ACK)) {
+        if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) {
             SCLogDebug("packet %"PRIu64" is a midstream stream starter: %02x", p->pcap_cnt, p->tcph->th_flags);
             return 1;
         }
@@ -5416,12 +5416,12 @@ static int TcpSessionReuseDoneEnoughSynAck(const Packet *p, const Flow *f, const
  *  \retval bool true if ssn can be reused, false if not */
 static int TcpSessionReuseDoneEnough(const Packet *p, const Flow *f, const TcpSession *ssn)
 {
-    if (p->tcph->th_flags == TH_SYN) {
+    if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == TH_SYN) {
         return TcpSessionReuseDoneEnoughSyn(p, f, ssn);
     }
 
     if (stream_config.midstream == TRUE || stream_config.async_oneside == TRUE) {
-        if (p->tcph->th_flags == (TH_SYN|TH_ACK)) {
+        if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) {
             return TcpSessionReuseDoneEnoughSynAck(p, f, ssn);
         }
     }