From ada6981ea7bf99a94e0854e55f1fc88b4f39dd4e Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 11 Mar 2022 11:08:10 +0000
Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval

For connections that use TCP timestamps for which the first SYN packet
does not reach the server, any replies to retransmitted SYNs will be
tropped.

This is happening in StateSynSentValidateTimestamp, where the timestamp
value in a SYN-ACK packet must match the one from the SYN packet.
However, since the server never received the first SYN packet, it will
respond with an updated timestamp from any of the following SYN packets.

The timestamp value inside suricata is not being updated at any time
which should happen. This patch fixes that problem.

This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.

Fixes: #4649 - https://redmine.openinfosecfoundation.org/issues/4649
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/stream-tcp.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index eea743d3c..cf05d498e 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -1636,6 +1636,24 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
                     "ssn->client.last_ack %"PRIu32"", ssn,
                     ssn->client.isn, ssn->client.next_seq,
                     ssn->client.last_ack);
+        } else if (PKT_IS_TOSERVER(p)) {
+            /*
+             * On retransmitted SYN packets, the timestamp value must be updated,
+             * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
+             * with an updated timestamp in StateSynSentValidateTimestamp.
+             */
+            if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
+                uint32_t ts_val = TCP_GET_TSVAL(p);
+
+                // Check whether packets have been received in the correct order (only ever update)
+                if (ssn->client.last_ts < ts_val) {
+                    ssn->client.last_ts = ts_val;
+                    ssn->client.last_pkt_ts = p->ts.tv_sec;
+                }
+
+                SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %" PRIu64, ssn,
+                        p->pcap_cnt);
+            }
         }
 
         /** \todo check if it's correct or set event */
-- 
2.47.2