From: Eric Leblond <el@stamus-networks.com>
Date: Fri, 28 May 2021 10:19:38 +0000 (+0200)
Subject: stream/tcp: don't reject on bad ack
X-Git-Tag: suricata-7.0.0-beta1~1570
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=556570f7dd7f21f11cffda5ebcb72738a29cbb90;p=thirdparty%2Fsuricata.git

stream/tcp: don't reject on bad ack

Not using a packet for the streaming analysis when a non zero
ACK value and ACK bit was unset was leading to evasion as it was
possible to start a session with a SYN packet with a non zero ACK
value to see the full TCP stream to escape all stream and application
layer detection.

This addresses CVE-2021-35063.

Fixes: fa692df37 ("stream: reject broken ACK packets")

Ticket: #4504.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 377abdfb6b..898bde925f 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4831,7 +4831,6 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
     /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
     if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
         StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
-        goto error;
     }
 
     /* If we are on IPS mode, and got a drop action triggered from