Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
stream: fix SYN_SENT RST/FIN injection
RST injection during the SYN_SENT state could trick Suricata into marking a session as CLOSED. The way this was done is: using invalid TSECR value in RST+ACK packet. The ACK was needed to force Linux into considering the TSECR value and compare it to the TSVAL from the SYN packet. The second works only against Windows. The client would not use a TSVAL but the RST packet would. Windows will reject this, but Suricata considered the RST valid and triggered the CLOSED logic. This patch addresses both. When the SYN packet used timestamp support the timestamp of incoming packet is validated. Otherwise, packet responding should not have a timestamp. Bug #3286 Reported-by: Nicolas Adba
- Loading branch information