From: Victor Julien <victor@inliniac.net>
Date: Thu, 21 Nov 2019 15:10:21 +0000 (+0100)
Subject: stream: reject broken ACK packets
X-Git-Tag: suricata-5.0.1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa692df37a796c3330c81988d15ef1a219afc006;p=thirdparty%2Fsuricata.git

stream: reject broken ACK packets

Fix evasion posibility by rejecting packets with a broken ACK field.
These packets have a non-0 ACK field, but do not have a ACK flag set.

Bug #3324.

Reported-by: Nicolas Adba
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index b38f40cd54..df392376ba 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4803,6 +4803,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
     /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
     if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
         StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
+        goto error;
     }
 
     /* If we are on IPS mode, and got a drop action triggered from
@@ -6929,7 +6930,7 @@ static int StreamTcpTest10 (void)
 
     tcph.th_win = htons(5480);
     tcph.th_seq = htonl(10);
-    tcph.th_ack = htonl(11);
+    tcph.th_ack = 0;
     tcph.th_flags = TH_SYN;
     p->tcph = &tcph;