From: Victor Julien <vjulien@oisf.net>
Date: Wed, 8 Jun 2022 11:11:55 +0000 (+0200)
Subject: stream/midstream: fix double flow reverse case
X-Git-Tag: suricata-6.0.6~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=643d502d9ee88fab308ae50b81d25ff2621f7871;p=thirdparty%2Fsuricata.git

stream/midstream: fix double flow reverse case

In the case of midstream SYN/ACK pickup, we reverse the flow based on
the SYN/ACK. If we then later get traffic that appears to be in the
reverse direction based on the app-layer, we would reverse it again.
This isn't correct. When we have the SYN/ACK we know the flow's real
direction.

(cherry picked from commit fea374626ac9d0dfe69df24958596867f9e42734)
---

diff --git a/src/app-layer.c b/src/app-layer.c
index a80606b572..3b9465d67e 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -361,7 +361,9 @@ static int TCPProtoDetect(ThreadVars *tv,
         /* if protocol detection indicated that we need to reverse
          * the direction of the flow, do it now. We flip the flow,
          * packet and the direction flags */
-        if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
+        if (reverse_flow &&
+                ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
+                        STREAMTCP_FLAG_MIDSTREAM)) {
             /* but only if we didn't already detect it on the other side. */
             if (*alproto_otherdir == ALPROTO_UNKNOWN) {
                 SCLogDebug("reversing flow after proto detect told us so");