From: Victor Julien <victor@inliniac.net>
Date: Wed, 3 Feb 2016 08:51:33 +0000 (+0100)
Subject: stream: improve StreamTcpSegmentForEach for IPS
X-Git-Tag: suricata-3.0.1RC1~154
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1846%2Fhead;p=thirdparty%2Fsuricata.git

stream: improve StreamTcpSegmentForEach for IPS

StreamTcpSegmentForEach would only return ACK'd segments. This lead
to missing stream data in alerts when running in IPS mode.

This patch changes the behavior for IPS. All segments are iterated
now, also the non-ACK'd ones. For IDS mode the behavior is unchanged.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 9dce70709e..4c0a81d7f2 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -5920,8 +5920,8 @@ void StreamTcpPseudoPacketCreateStreamEndPacket(ThreadVars *tv, StreamTcpThread
 /**
  * \brief Run callback function on each TCP segment
  *
- * This function is used by StreamMsgForEach() which
- * should be used directly.
+ * \note when stream engine is running in inline mode all segments are used,
+ *       in IDS/non-inline mode only ack'd segments are iterated.
  *
  * \return -1 in case of error, the number of segment in case of success
  *
@@ -5949,8 +5949,12 @@ int StreamTcpSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback
     } else {
         stream = &(ssn->client);
     }
+
+    /* for IDS, return ack'd segments. For IPS all. */
     TcpSegment *seg = stream->seg_list;
-    for (; seg != NULL && SEQ_LT(seg->seq, stream->last_ack);) {
+    for (; seg != NULL &&
+            (stream_inline || SEQ_LT(seg->seq, stream->last_ack));)
+    {
         ret = CallbackFunc(p, data, seg->payload, seg->payload_len);
         if (ret != 1) {
             SCLogDebug("Callback function has failed");