From: Victor Julien <vjulien@oisf.net>
Date: Sat, 23 Apr 2022 11:59:34 +0000 (+0200)
Subject: stream: improve flow end payload logging
X-Git-Tag: suricata-7.0.0-beta1~695
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c40df43609becc467e86d756098829b3174c80c7;p=thirdparty%2Fsuricata.git

stream: improve flow end payload logging

Use all available data, including un-ACK'd, when in flow timeout
mode.

Bug: #5276.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index eea743d3c9..2bbcafccf2 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -6341,9 +6341,16 @@ int StreamTcpSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback
     /* for IDS, return ack'd segments. For IPS all. */
     TcpSegment *seg;
     RB_FOREACH(seg, TCPSEG, &stream->seg_tree) {
-        if (!((stream_config.flags & STREAMTCP_INIT_FLAG_INLINE)
-                    || SEQ_LT(seg->seq, stream->last_ack)))
-            break;
+        if (!(stream_config.flags & STREAMTCP_INIT_FLAG_INLINE)) {
+            if (PKT_IS_PSEUDOPKT(p)) {
+                /* use un-ACK'd data as well */
+            } else {
+                /* in IDS mode, use ACK'd data */
+                if (SEQ_GEQ(seg->seq, stream->last_ack)) {
+                    break;
+                }
+            }
+        }
 
         const uint8_t *seg_data;
         uint32_t seg_datalen;