From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 23 Apr 2021 20:24:20 +0000 (+0200)
Subject: Adds test about tcp protocol detection bailout
X-Git-Tag: suricata-6.0.4~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e48c9650bf228fedc2faf3fdab3b9a2e7e41f7f;p=thirdparty%2Fsuricata-verify.git

Adds test about tcp protocol detection bailout
---

diff --git a/tests/tcp-protodetect-bailout/README.md b/tests/tcp-protodetect-bailout/README.md
new file mode 100644
index 000000000..bbc49fdc8
--- /dev/null
+++ b/tests/tcp-protodetect-bailout/README.md
@@ -0,0 +1,13 @@
+# Description
+
+Test absence of impossible case in `TCPProtoDetectCheckBailConditions`
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/4171
+
+This pcap was produced with
+1. python script from http-connect S-V test
+2. Mixed packets order with editcap and mergecap (1-6,10,9,7-8)
+3. Manually crafted to increase the TCP option window scale to 7 (128) on both sides
+4. Manually crafted to increase the sequence number of now packet 7 (second packet with tcp payload) adding 0x100000 (as much needed to trigger `DEBUG_VALIDATE_BUG_ON(size_ts > 1000000UL);`)
diff --git a/tests/tcp-protodetect-bailout/input.pcap b/tests/tcp-protodetect-bailout/input.pcap
new file mode 100644
index 000000000..9bb197ba5
Binary files /dev/null and b/tests/tcp-protodetect-bailout/input.pcap differ
diff --git a/tests/tcp-protodetect-bailout/test.yaml b/tests/tcp-protodetect-bailout/test.yaml
new file mode 100644
index 000000000..9d15ab8ac
--- /dev/null
+++ b/tests/tcp-protodetect-bailout/test.yaml
@@ -0,0 +1,10 @@
+# disables checksum verification
+args:
+- -k none
+- --set stream.reassembly.depth=0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow