From: Victor Julien <vjulien@oisf.net>
Date: Tue, 13 May 2025 09:26:46 +0000 (+0200)
Subject: detect: don't set conflicting packet/flow actions
X-Git-Tag: suricata-7.0.11~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a329656098d8d0eca2f255924c0f117fc2dfe1f;p=thirdparty%2Fsuricata.git

detect: don't set conflicting packet/flow actions

If for the same a packet a drop rule and a pass rule would match,
the applying of actions could be contradictionary:

- the drop would be applied to the packet
- the pass rule would also be considered, not overriding the drop,
  but still setting the flow pass flag.

This would lead to the packet being dropped, but the rest of the
flow getting passed, including retransmissions of the dropped
packet.

This patch only sets drop/pass actions if no conflicting action
has been set on the packet before. It respects the action-order.

Bug: #7653.

Fix based on:
57b17fb3b2fb ("detect: don't set conflicting packet/flow actions")
---

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 466ca45703..f3e49586e0 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -398,14 +398,22 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                 }
             }
 
-            /* set actions on the flow */
-            FlowApplySignatureActions(p, pa, s, pa->flags);
+            bool skip_action_set = false;
+            if (p->action & ACTION_DROP) {
+                if (pa->action & ACTION_PASS) {
+                    skip_action_set = true;
+                }
+            }
+            if (!skip_action_set) {
+                /* set actions on the flow */
+                FlowApplySignatureActions(p, pa, s, pa->flags);
 
-            SCLogDebug("det_ctx->alert_queue[i].action %02x (DROP %s, PASS %s)", pa->action,
-                    BOOL2STR(pa->action & ACTION_DROP), BOOL2STR(pa->action & ACTION_PASS));
+                SCLogDebug("det_ctx->alert_queue[i].action %02x (DROP %s, PASS %s)", pa->action,
+                        BOOL2STR(pa->action & ACTION_DROP), BOOL2STR(pa->action & ACTION_PASS));
 
-            /* set actions on packet */
-            PacketApplySignatureActions(p, s, pa);
+                /* set actions on packet */
+                PacketApplySignatureActions(p, s, pa);
+            }
         }
 
         /* Thresholding removes this alert */