From: Victor Julien <victor@inliniac.net>
Date: Mon, 23 Dec 2019 15:09:51 +0000 (+0100)
Subject: flow: only move lastts forward
X-Git-Tag: suricata-6.0.0-beta1~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b016cff4b09873a3dc57e7b8613f973cd7a2f3a;p=thirdparty%2Fsuricata.git

flow: only move lastts forward

Pcaps with timestamps jumping around could confuse flow timeout
handling otherwise.
---

diff --git a/src/flow.c b/src/flow.c
index a0e637ed94..49dc4a2e37 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -440,7 +440,8 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
     if (state != FLOW_STATE_CAPTURE_BYPASSED) {
 #endif
         /* update the last seen timestamp of this flow */
-        COPY_TIMESTAMP(&p->ts, &f->lastts);
+        if (timercmp(&p->ts, &f->lastts, >))
+            COPY_TIMESTAMP(&p->ts, &f->lastts);
 #ifdef CAPTURE_OFFLOAD
     } else {
         /* still seeing packet, we downgrade to local bypass */