Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stream backports/60x/v4 #8569

Merged
merged 13 commits into from Mar 28, 2023
Merged

Stream backports/60x/v4 #8569

merged 13 commits into from Mar 28, 2023

Conversation

victorjulien
Copy link
Member

Backports for #8563

suricata-verify-pr: 1136

replaces #8568 adding more

victorjulien and others added 13 commits March 1, 2023 14:58
@victorjulien
stream: fix overlap detection
2b18412 
If a in-tree segment was partly before base_seq the overlap detection
miscalculated the data offset. This lead to memcmp comparing the wrong
data.

Bug: OISF#5881.

(cherry picked from commit cbcd705)
@victorjulien
stream/tcp: fix wrong ACK trigger FIN1 to FIN2
237e06a 
An ACK that ACK'd older data while still being in-window could
lead to FIN_WAIT1 to FIN_WAIT2 state transition. Detect this
case and generally harden the check.

Bug: OISF#5877.
(cherry picked from commit 67af94f)
@regit @victorjulien
stream/tcp: update ack handling logic
984698f 
Only update the ack value of a session for regular packets when
the ACK bit is set.

(cherry picked from commit 0d81173)
@victorjulien
stream: set next_seq before last_ack
f190439 
next_seq sometimes depends on last_ack in cases of packet loss
catch up, so first update it.

Bug: OISF#5877.
(cherry picked from commit 20df715)
@victorjulien
stream: improve FIN next_seq handling
a8cff36 
Update next_seq to SEQ + payload_len + 1, so retransmission checks
work better.

Bug: OISF#5877.
(cherry picked from commit 80a012a)
@victorjulien
stream: improve first FIN next_seq update
006911f 
For accepted FIN packets, always update next_seq. This helps track the
FIN sequence.

Bug: OISF#5877.
(cherry picked from commit 551fb80)
@victorjulien
stream: fix next_seq updates after temporary gap
dcefc00 
On every accepted packet in established state, update next_seq if
packet seq+len is larger than existing next_seq. This allows it to
catch up after large gaps that are filled again a bit later.

Bug: OISF#5877.
(cherry picked from commit 76225bf)
@victorjulien
stream: D-SACK detection and logging
fee655b 
RFC 2883 specifies a special use of SACKs to indicate a host has
received a segment it considers a spurious retransmission.

(cherry picked from commit d79a926)
@victorjulien
stream: add liberal timetamps option
7f4a800 
Linux is slightly more permissive wrt timestamps than many
other OS'. To avoid many events/issues with linux hosts, add an
option to allow for this slightly more permissive behavior.

Ideally the host-os config would be used, but in practice this
setting is rarely set up correctly, if at all.

This option is enabled by default.

(cherry picked from commit 01b7ccc)
@victorjulien
stream: support SYN/ACK with TFO only ack'ing ISN
1ed8066 
Not ack'ing the data.

(cherry picked from commit 7ef57cc)
@victorjulien
debug: add bool string print helper macro
7ccec8f 
(cherry picked from commit 0ec1366)
@victorjulien
stream: move state queue code into util func
66ddbc3 
(cherry picked from commit 288086a)
@victorjulien
stream: SYN queue support
a48e022 
Support case where there are multiple SYN retransmits, where
each has a new timestamp.

Before this patch, Suricata would only accept a SYN/ACK that
matches the last timestamp. However, observed behavior is that
the server may choose to only respond to the first. In IPS mode
this could lead to a connection timing out as Suricata drops
the SYN/ACK it considers wrong, and the server continues to
retransmit it.

This patch reuses the SYN/ACK queuing logic to keep a list
of SYN packets and their window, timestamp, wscale and sackok
settings. Then when the SYN/ACK arrives, it is first evaluated
against the normal session state. But if it fails due to a
timestamp mismatch, it will look for queued SYN's and see if
any of them match the timestamp. If one does, the ssn is updated
to use that SYN and the SYN/ACK is accepted.

Bug: OISF#5856.
(cherry picked from commit 7bfee14)
@victorjulien victorjulien requested a review from a team as a code owner March 2, 2023 17:25
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 12671

@victorjulien victorjulien mentioned this pull request Mar 2, 2023
Closed
@victorjulien victorjulien mentioned this pull request Mar 19, 2023
Closed
@victorjulien victorjulien mentioned this pull request Mar 28, 2023
Merged
@victorjulien victorjulien merged commit a48e022 into OISF:master-6.0.x Mar 28, 2023
@victorjulien victorjulien deleted the stream-backports/60x/v4 branch July 17, 2023 11:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
3 participants
@victorjulien @suricata-qa @regit