From fb26268c6b758569eab2e29b09ecbc599f5ed112 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 17 Oct 2019 15:42:15 +0200
Subject: [PATCH] tcp: don't set event on empty SACK opt

TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless
an empty SACK is not uncommon.

Seen on an iOS device talking to an Apple server.

Bug #3254.
---
 src/decode-tcp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/decode-tcp.c b/src/decode-tcp.c
index ce95ddce5d..0d464bbe7b 100644
--- a/src/decode-tcp.c
+++ b/src/decode-tcp.c
@@ -138,9 +138,10 @@ static void DecodeTCPOptions(Packet *p, const uint8_t *pkt, uint16_t pktlen)
                     break;
                 case TCP_OPT_SACK:
                     SCLogDebug("SACK option, len %u", olen);
-                    if (olen < TCP_OPT_SACK_MIN_LEN ||
+                    if ((olen != 2) &&
+                           (olen < TCP_OPT_SACK_MIN_LEN ||
                             olen > TCP_OPT_SACK_MAX_LEN ||
-                            !((olen - 2) % 8 == 0))
+                            !((olen - 2) % 8 == 0)))
                     {
                         ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
                     } else {
-- 
2.47.2