From 643d502d9ee88fab308ae50b81d25ff2621f7871 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Wed, 8 Jun 2022 13:11:55 +0200
Subject: [PATCH] stream/midstream: fix double flow reverse case

In the case of midstream SYN/ACK pickup, we reverse the flow based on
the SYN/ACK. If we then later get traffic that appears to be in the
reverse direction based on the app-layer, we would reverse it again.
This isn't correct. When we have the SYN/ACK we know the flow's real
direction.

(cherry picked from commit fea374626ac9d0dfe69df24958596867f9e42734)
---
 src/app-layer.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/app-layer.c b/src/app-layer.c
index a80606b572..3b9465d67e 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -361,7 +361,9 @@ static int TCPProtoDetect(ThreadVars *tv,
         /* if protocol detection indicated that we need to reverse
          * the direction of the flow, do it now. We flip the flow,
          * packet and the direction flags */
-        if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
+        if (reverse_flow &&
+                ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
+                        STREAMTCP_FLAG_MIDSTREAM)) {
             /* but only if we didn't already detect it on the other side. */
             if (*alproto_otherdir == ALPROTO_UNKNOWN) {
                 SCLogDebug("reversing flow after proto detect told us so");
-- 
2.47.2