From: Victor Julien Date: Mon, 6 Jul 2020 10:05:01 +0000 (+0200) Subject: app-layer/tcp: don't use un-ACK'd data X-Git-Tag: suricata-6.0.0-beta1~88 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=616d7f256b3673f008bf2edcb3e673459fa7f1d3;p=thirdparty%2Fsuricata.git app-layer/tcp: don't use un-ACK'd data Still use un-ACK'd data in unclean shutdown. This means any state before TCP_CLOSED, or TCP_CLOSED that was caused by a RST. --- diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c index 5546811d7d..9c4371cb03 100644 --- a/src/stream-tcp-reassemble.c +++ b/src/stream-tcp-reassemble.c @@ -1034,14 +1034,20 @@ static inline bool CheckGap(TcpSession *ssn, TcpStream *stream, Packet *p) return false; } -static inline uint32_t AdjustToAcked(const Packet *p, const TcpStream *stream, +static inline uint32_t AdjustToAcked(const Packet *p, + const TcpSession *ssn, const TcpStream *stream, const uint64_t app_progress, const uint32_t data_len) { uint32_t adjusted = data_len; /* get window of data that is acked */ if (StreamTcpInlineMode() == FALSE) { - if (p->flags & PKT_PSEUDO_STREAM_END) { + SCLogDebug("ssn->state %s", StreamTcpStateAsString(ssn->state)); + if ((ssn->state < TCP_CLOSED || + (ssn->state == TCP_CLOSED && + (ssn->flags & STREAMTCP_FLAG_CLOSED_BY_RST) != 0)) && + (p->flags & PKT_PSEUDO_STREAM_END)) + { // fall through, we use all available data } else { uint64_t last_ack_abs = STREAM_BASE_OFFSET(stream); @@ -1132,7 +1138,7 @@ static int ReassembleUpdateAppLayer (ThreadVars *tv, *stream, &(*stream)->sb, mydata_len, app_progress); /* get window of data that is acked */ - mydata_len = AdjustToAcked(p, *stream, app_progress, mydata_len); + mydata_len = AdjustToAcked(p, ssn, *stream, app_progress, mydata_len); if (mydata_len == 0) SCReturnInt(0);