From: Victor Julien <victor@inliniac.net>
Date: Thu, 17 Oct 2019 13:42:15 +0000 (+0200)
Subject: tcp: don't set event on empty SACK opt
X-Git-Tag: suricata-5.0.1~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb26268c6b758569eab2e29b09ecbc599f5ed112;p=thirdparty%2Fsuricata.git

tcp: don't set event on empty SACK opt

TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless
an empty SACK is not uncommon.

Seen on an iOS device talking to an Apple server.

Bug #3254.
---

diff --git a/src/decode-tcp.c b/src/decode-tcp.c
index ce95ddce5d..0d464bbe7b 100644
--- a/src/decode-tcp.c
+++ b/src/decode-tcp.c
@@ -138,9 +138,10 @@ static void DecodeTCPOptions(Packet *p, const uint8_t *pkt, uint16_t pktlen)
                     break;
                 case TCP_OPT_SACK:
                     SCLogDebug("SACK option, len %u", olen);
-                    if (olen < TCP_OPT_SACK_MIN_LEN ||
+                    if ((olen != 2) &&
+                           (olen < TCP_OPT_SACK_MIN_LEN ||
                             olen > TCP_OPT_SACK_MAX_LEN ||
-                            !((olen - 2) % 8 == 0))
+                            !((olen - 2) % 8 == 0)))
                     {
                         ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
                     } else {