From: Victor Julien <victor@inliniac.net>
Date: Thu, 19 Mar 2020 20:30:45 +0000 (+0100)
Subject: stream/tcp: fix fast open off by one
X-Git-Tag: suricata-5.0.3~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd7eb275322c0cfb7bb540675f7faf6cda2ce6e2;p=thirdparty%2Fsuricata.git

stream/tcp: fix fast open off by one

With data on SYN the sequence number used for the first data
was off by one, leading to the next segments to appear to come
after a one byte gap.

(cherry picked from commit b85539b2aba4cc95a2773b71da44821cd225b50a)
---

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index baadd91b1d..bd242b621f 100644
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -642,6 +642,10 @@ int StreamTcpReassembleHandleSegmentHandleData(ThreadVars *tv, TcpReassemblyThre
     TCP_SEG_LEN(seg) = size;
     seg->seq = TCP_GET_SEQ(p);
 
+    /* HACK: for TFO SYN packets the seq for data starts at + 1 */
+    if (TCP_HAS_TFO(p) && p->payload_len && p->tcph->th_flags == TH_SYN)
+        seg->seq += 1;
+
     /* proto detection skipped, but now we do get data. Set event. */
     if (RB_EMPTY(&stream->seg_tree) &&
         stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED) {