From b93a302a5b3d011bc43118cce5037e89becab2f2 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 3 Feb 2016 09:51:33 +0100
Subject: [PATCH] stream: improve StreamTcpSegmentForEach for IPS

StreamTcpSegmentForEach would only return ACK'd segments. This lead
to missing stream data in alerts when running in IPS mode.

This patch changes the behavior for IPS. All segments are iterated
now, also the non-ACK'd ones. For IDS mode the behavior is unchanged.
---
 src/stream-tcp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 9dce70709e..4c0a81d7f2 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -5920,8 +5920,8 @@ void StreamTcpPseudoPacketCreateStreamEndPacket(ThreadVars *tv, StreamTcpThread
 /**
  * \brief Run callback function on each TCP segment
  *
- * This function is used by StreamMsgForEach() which
- * should be used directly.
+ * \note when stream engine is running in inline mode all segments are used,
+ *       in IDS/non-inline mode only ack'd segments are iterated.
  *
  * \return -1 in case of error, the number of segment in case of success
  *
@@ -5949,8 +5949,12 @@ int StreamTcpSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback
     } else {
         stream = &(ssn->client);
     }
+
+    /* for IDS, return ack'd segments. For IPS all. */
     TcpSegment *seg = stream->seg_list;
-    for (; seg != NULL && SEQ_LT(seg->seq, stream->last_ack);) {
+    for (; seg != NULL &&
+            (stream_inline || SEQ_LT(seg->seq, stream->last_ack));)
+    {
         ret = CallbackFunc(p, data, seg->payload, seg->payload_len);
         if (ret != 1) {
             SCLogDebug("Callback function has failed");
-- 
2.47.2