From: Victor Julien <victor@inliniac.net>
Date: Thu, 19 Mar 2020 20:30:45 +0000 (+0100)
Subject: stream/tcp: fix fast open off by one
X-Git-Tag: suricata-6.0.0-beta1~611
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b85539b2aba4cc95a2773b71da44821cd225b50a;p=thirdparty%2Fsuricata.git

stream/tcp: fix fast open off by one

With data on SYN the sequence number used for the first data
was off by one, leading to the next segments to appear to come
after a one byte gap.
---

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 0c6e6dffdf..44a8daf5ad 100644
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -642,6 +642,10 @@ int StreamTcpReassembleHandleSegmentHandleData(ThreadVars *tv, TcpReassemblyThre
     TCP_SEG_LEN(seg) = size;
     seg->seq = TCP_GET_SEQ(p);
 
+    /* HACK: for TFO SYN packets the seq for data starts at + 1 */
+    if (TCP_HAS_TFO(p) && p->payload_len && p->tcph->th_flags == TH_SYN)
+        seg->seq += 1;
+
     /* proto detection skipped, but now we do get data. Set event. */
     if (RB_EMPTY(&stream->seg_tree) &&
         stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED) {