From: Victor Julien <victor@inliniac.net>
Date: Fri, 3 Jul 2020 14:38:56 +0000 (+0200)
Subject: stream/tcp: track if ssn has been closed with RST
X-Git-Tag: suricata-6.0.0-beta1~90
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c825f836338889d7e2afde6485f3111c020b1483;p=thirdparty%2Fsuricata.git

stream/tcp: track if ssn has been closed with RST
---

diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index c74feb601e..41f75d466d 100644
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -164,7 +164,8 @@ enum TcpState
 #define STREAMTCP_FLAG_TIMESTAMP                    0x0008
 /** Server supports wscale (even though it can be 0) */
 #define STREAMTCP_FLAG_SERVER_WSCALE                0x0010
-// vacancy
+/** Closed by RST */
+#define STREAMTCP_FLAG_CLOSED_BY_RST                0x0020
 /** Flag to indicate that the session is handling asynchronous stream.*/
 #define STREAMTCP_FLAG_ASYNC                        0x0040
 /** Flag to indicate we're dealing with 4WHS: SYN, SYN, SYN/ACK, ACK
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 104f6688e0..0f49f19a96 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -853,6 +853,14 @@ void StreamTcpSetOSPolicy(TcpStream *stream, Packet *p)
     } \
 }
 
+static inline void StreamTcpCloseSsnWithReset(Packet *p, TcpSession *ssn)
+{
+    ssn->flags |= STREAMTCP_FLAG_CLOSED_BY_RST;
+    StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
+    SCLogDebug("ssn %p: (state: %s) Reset received and state changed to "
+            "TCP_CLOSED", ssn, StreamTcpStateAsString(ssn->state));
+}
+
 static int StreamTcpPacketIsRetransmission(TcpStream *stream, Packet *p)
 {
     if (p->payload_len == 0)
@@ -1430,17 +1438,12 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
             {
                 SCLogDebug("ssn->server.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
                 ssn->server.flags |= STREAMTCP_STREAM_FLAG_RST_RECV;
-
-                StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-                SCLogDebug("ssn %p: Reset received and state changed to "
-                        "TCP_CLOSED", ssn);
+                StreamTcpCloseSsnWithReset(p, ssn);
             }
         } else {
             ssn->client.flags |= STREAMTCP_STREAM_FLAG_RST_RECV;
             SCLogDebug("ssn->client.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
-            StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-            SCLogDebug("ssn %p: Reset received and state changed to "
-                    "TCP_CLOSED", ssn);
+            StreamTcpCloseSsnWithReset(p, ssn);
         }
 
     /* FIN */
@@ -1771,9 +1774,7 @@ static int StreamTcpPacketStateSynRecv(ThreadVars *tv, Packet *p,
         }
 
         if (reset == TRUE) {
-            StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-            SCLogDebug("ssn %p: Reset received and state changed to "
-                    "TCP_CLOSED", ssn);
+            StreamTcpCloseSsnWithReset(p, ssn);
 
             if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
                 StreamTcpHandleTimestamp(ssn, p);
@@ -2504,9 +2505,7 @@ static int StreamTcpPacketStateEstablished(ThreadVars *tv, Packet *p,
             return -1;
 
         if (PKT_IS_TOSERVER(p)) {
-            StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-            SCLogDebug("ssn %p: Reset received and state changed to "
-                    "TCP_CLOSED", ssn);
+            StreamTcpCloseSsnWithReset(p, ssn);
 
             ssn->server.next_seq = TCP_GET_ACK(p);
             ssn->client.next_seq = TCP_GET_SEQ(p) + p->payload_len;
@@ -2535,9 +2534,7 @@ static int StreamTcpPacketStateEstablished(ThreadVars *tv, Packet *p,
              * packet will take care, otherwise the normal session
              * cleanup. */
         } else {
-            StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-            SCLogDebug("ssn %p: Reset received and state changed to "
-                    "TCP_CLOSED", ssn);
+            StreamTcpCloseSsnWithReset(p, ssn);
 
             ssn->server.next_seq = TCP_GET_SEQ(p) + p->payload_len + 1;
             ssn->client.next_seq = TCP_GET_ACK(p);
@@ -2829,9 +2826,7 @@ static int StreamTcpPacketStateFinWait1(ThreadVars *tv, Packet *p,
         if (!StreamTcpValidateRst(ssn, p))
             return -1;
 
-        StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-        SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
-                ssn);
+        StreamTcpCloseSsnWithReset(p, ssn);
 
         if (PKT_IS_TOSERVER(p)) {
             if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@@ -3268,9 +3263,7 @@ static int StreamTcpPacketStateFinWait2(ThreadVars *tv, Packet *p,
         if (!StreamTcpValidateRst(ssn, p))
             return -1;
 
-        StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-        SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
-                ssn);
+        StreamTcpCloseSsnWithReset(p, ssn);
 
         if (PKT_IS_TOSERVER(p)) {
             if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@@ -3567,9 +3560,7 @@ static int StreamTcpPacketStateClosing(ThreadVars *tv, Packet *p,
         if (!StreamTcpValidateRst(ssn, p))
             return -1;
 
-        StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-        SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
-                ssn);
+        StreamTcpCloseSsnWithReset(p, ssn);
 
         if (PKT_IS_TOSERVER(p)) {
             if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@@ -3746,9 +3737,7 @@ static int StreamTcpPacketStateCloseWait(ThreadVars *tv, Packet *p,
         if (!StreamTcpValidateRst(ssn, p))
             return -1;
 
-        StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-        SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
-                ssn);
+        StreamTcpCloseSsnWithReset(p, ssn);
 
         if (PKT_IS_TOSERVER(p)) {
             if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@@ -4036,9 +4025,7 @@ static int StreamTcpPacketStateLastAck(ThreadVars *tv, Packet *p,
         if (!StreamTcpValidateRst(ssn, p))
             return -1;
 
-        StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-        SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
-                ssn);
+        StreamTcpCloseSsnWithReset(p, ssn);
 
         if (PKT_IS_TOSERVER(p)) {
             if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@@ -4163,9 +4150,7 @@ static int StreamTcpPacketStateTimeWait(ThreadVars *tv, Packet *p,
         if (!StreamTcpValidateRst(ssn, p))
             return -1;
 
-        StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
-        SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
-                ssn);
+        StreamTcpCloseSsnWithReset(p, ssn);
 
         if (PKT_IS_TOSERVER(p)) {
             if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@@ -4372,6 +4357,7 @@ static void StreamTcpPacketCheckPostRst(TcpSession *ssn, Packet *p)
         SCLogDebug("regular packet %"PRIu64" from same sender as "
                 "the previous RST. Looks like it injected!", p->pcap_cnt);
         ostream->flags &= ~STREAMTCP_STREAM_FLAG_RST_RECV;
+        ssn->flags &= ~STREAMTCP_FLAG_CLOSED_BY_RST;
         StreamTcpSetEvent(p, STREAM_SUSPECTED_RST_INJECT);
         return;
     }