From: Victor Julien <victor@inliniac.net>
Date: Fri, 18 Jan 2019 14:03:39 +0000 (+0100)
Subject: stream: fix false negative on bad RST
X-Git-Tag: suricata-4.1.3~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8634daf74c882356659addb65fb142b738a186b;p=thirdparty%2Fsuricata.git

stream: fix false negative on bad RST

If a bad RST was received the stream inspection would not happen
for that packet, but it would still move the 'raw progress' tracker
forward. Following good packets would then fail to detect anything
before the 'raw progress' position.

Bug #2770

Reported-by: Alexey Vishnyakov
---

diff --git a/src/detect.c b/src/detect.c
index a7b2124d2b..5270b5649a 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1039,7 +1039,9 @@ static void DetectRunCleanup(DetectEngineThreadCtx *det_ctx,
 
     if (pflow != NULL) {
         /* update inspected tracker for raw reassembly */
-        if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL) {
+        if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL &&
+            (p->flags & PKT_STREAM_EST))
+        {
             StreamReassembleRawUpdateProgress(pflow->protoctx, p,
                     det_ctx->raw_stream_progress);