From: Juweria Ali Imran (jaliimra) <jaliimra@cisco.com>
Date: Wed, 17 Apr 2024 16:19:49 +0000 (+0000)
Subject: Pull request #4268: stream_tcp: drop packet with invalid sequence number if NAP polic... 
X-Git-Tag: 3.2.1.0~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d83a111d36d089483062f07e82a27e65653a1b4;p=thirdparty%2Fsnort3.git

Pull request #4268: stream_tcp: drop packet with invalid sequence number if NAP policy  is inline and fix sequence number comparisons

Merge in SNORT/snort3 from ~JALIIMRA/snort3:invalid_seq_ack to master

Squashed commit of the following:

commit 58ca09ddd93559039948ecc86a6af1ceac868200
Author: Juweria Ali Imran <jaliimra@cisco.com>
Date:   Tue Apr 2 08:49:01 2024 -0400

    stream_tcp: drop packet with invalid sequence number if NAP policy is inline and fix sequence number comparisons
---

diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc
index 7a72fa281..da8e9ba15 100644
--- a/src/stream/tcp/tcp_normalizer.cc
+++ b/src/stream/tcp/tcp_normalizer.cc
@@ -48,9 +48,10 @@ TcpNormalizer::NormStatus TcpNormalizer::apply_normalizations(
         // drop packet if sequence num is invalid
         if ( !tns.tracker->is_segment_seq_valid(tsd) )
         {
+            bool inline_mode = tsd.is_nap_policy_inline();
             tcpStats.invalid_seq_num++;
-            log_drop_reason(tns, tsd, false, "normalizer", "Normalizer: Sequence number is invalid\n");
-            trim_win_payload(tns, tsd);
+            log_drop_reason(tns, tsd, inline_mode, "normalizer", "Normalizer: Sequence number is invalid\n");
+            trim_win_payload(tns, tsd, 0, inline_mode);
             return NORM_BAD_SEQ;
         }
 
diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc
index f0fdd58b1..726cf6cd0 100644
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -1427,7 +1427,7 @@ void TcpReassembler::insert_segment_in_seglist(
     if ( trs.sos.keep_segment )
     {
         if ( !trs.sos.left and trs.sos.right and
-            paf_initialized(&trs.paf_state) and trs.paf_state.pos > tsd.get_seq() )
+            paf_initialized(&trs.paf_state) and SEQ_GT(trs.paf_state.pos, tsd.get_seq()) )
         {
             return;
         }
diff --git a/src/stream/tcp/tcp_segment_node.h b/src/stream/tcp/tcp_segment_node.h
index d3e76835d..3e58f0eac 100644
--- a/src/stream/tcp/tcp_segment_node.h
+++ b/src/stream/tcp/tcp_segment_node.h
@@ -56,9 +56,9 @@ public:
     bool is_packet_missing(uint32_t to_seq)
     {
         if ( next )
-            return (i_seq + i_len) != next->i_seq;
+            return !(SEQ_EQ((i_seq + i_len), next->i_seq));
         else
-            return (c_seq + c_len) < to_seq;
+            return SEQ_LT((c_seq + c_len), to_seq);
     }
 
     void update_ressembly_lengths(uint16_t bytes)
diff --git a/src/stream/tcp/tcp_stream_tracker.cc b/src/stream/tcp/tcp_stream_tracker.cc
index f2cc11a2d..e982a2c29 100644
--- a/src/stream/tcp/tcp_stream_tracker.cc
+++ b/src/stream/tcp/tcp_stream_tracker.cc
@@ -484,7 +484,7 @@ void TcpStreamTracker::update_tracker_ack_recv(TcpSegmentDescriptor& tsd)
     if ( SEQ_GT(tsd.get_ack(), snd_una) )
     {
         snd_una = tsd.get_ack();
-        if ( snd_nxt < snd_una )
+        if ( SEQ_LT(snd_nxt, snd_una) )
             snd_nxt = snd_una;
     }
     if ( !tsd.get_len() and snd_wnd == 0