From: Victor Julien <vjulien@oisf.net>
Date: Mon, 27 Feb 2023 14:42:37 +0000 (+0100)
Subject: stream: reuse TCP session after TFO SYN+data reject
X-Git-Tag: suricata-7.0.0-rc2~547
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ceebd6e90416c8ac35ce9b07cca8e37f7ed5c0e2;p=thirdparty%2Fsuricata.git

stream: reuse TCP session after TFO SYN+data reject
---

diff --git a/src/output-eve-stream.c b/src/output-eve-stream.c
index 15735bf819..0d0d134a06 100644
--- a/src/output-eve-stream.c
+++ b/src/output-eve-stream.c
@@ -250,6 +250,9 @@ void EveAddFlowTcpFlags(const TcpSession *ssn, const char *name, JsonBuilder *jb
     if (ssn->flags & STREAMTCP_FLAG_TCP_FAST_OPEN) {
         jb_append_string(jb, "tcp_fast_open");
     }
+    if (ssn->flags & STREAMTCP_FLAG_TFO_DATA_IGNORED) {
+        jb_append_string(jb, "tfo_data_ignored");
+    }
     jb_close(jb);
     jb_close(jb);
 }
diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index ec3366ce00..c148225ab1 100644
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -202,6 +202,8 @@ enum TcpState {
 #define STREAMTCP_FLAG_BYPASS BIT_U32(14)
 /** SSN uses TCP Fast Open */
 #define STREAMTCP_FLAG_TCP_FAST_OPEN BIT_U32(15)
+/** SYN/ACK ignored the data while ACKing the SYN */
+#define STREAMTCP_FLAG_TFO_DATA_IGNORED BIT_U32(16)
 
 /*
  * Per STREAM flags
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index b80e71a19a..a7503501dc 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -1768,9 +1768,10 @@ static int StreamTcpPacketStateSynSent(
                 SCLogDebug("ssn %p: (TFO) ACK matches ISN+1, packet ACK %" PRIu32 " == "
                            "%" PRIu32 " from stream",
                         ssn, TCP_GET_ACK(p), ssn->client.isn + 1);
-                ssn->client.next_seq = ssn->client.isn;
+                ssn->client.next_seq = ssn->client.isn; // reset to ISN
                 SCLogDebug("ssn %p: (TFO) next_seq reset to isn (%u)", ssn, ssn->client.next_seq);
                 StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_TFO_DATA_IGNORED);
+                ssn->flags |= STREAMTCP_FLAG_TFO_DATA_IGNORED;
             } else {
                 StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
                 SCLogDebug("ssn %p: (TFO) ACK mismatch, packet ACK %" PRIu32 " != "
@@ -5516,6 +5517,12 @@ static int TcpSessionReuseDoneEnoughSyn(const Packet *p, const Flow *f, const Tc
             SCLogDebug("steam starter packet %" PRIu64 ", ssn %p null. Reuse.", p->pcap_cnt, ssn);
             return 1;
         }
+        if (ssn->flags & STREAMTCP_FLAG_TFO_DATA_IGNORED) {
+            SCLogDebug("steam starter packet %" PRIu64
+                       ", ssn %p. STREAMTCP_FLAG_TFO_DATA_IGNORED set. Reuse.",
+                    p->pcap_cnt, ssn);
+            return 1;
+        }
         if (SEQ_EQ(ssn->client.isn, TCP_GET_SEQ(p))) {
             SCLogDebug("steam starter packet %"PRIu64", ssn %p. Packet SEQ == Stream ISN. Retransmission. Don't reuse.", p->pcap_cnt, ssn);
             return 0;