stream/tcp: don't reject on bad ack

Not using a packet for the streaming analysis when a non zero ACK value and ACK bit was unset was leading to evasion as it was possible to start a session with a SYN packet with a non zero ACK value to see the full TCP stream to escape all stream and application layer detection. This addresses CVE-2021-35063. Fixes: fa692df37 ("stream: reject broken ACK packets") Ticket: #4504.
4 years ago · 556570f7dd
parent 0d81173d6e
commit 556570f7dd
1 changed files with 0 additions and 1 deletions
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -4831,7 +4831,6 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
    /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
    if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
        StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
-        goto error;
    }

    /* If we are on IPS mode, and got a drop action triggered from