Skip to content

Commit

Permalink
stream: RST no longer acks all data
Browse files Browse the repository at this point in the history
Since forever (1578ef1) a valid RST
would update the internal `last_ack` representation to include all
unack'd data. This was originally done to make sure the unACK'd data was
inspected/processed at flow timeout.

It was observed however, that if GAPs existed in this unACK'd data, a
GAP could be reported in the stats and a GAP event would be raised. This
doesn't make sense, as missing segments in the unACK'd part of the
stream are completely normal. Segments simply do not all arrive in
order.

It turns out that the original behavior of updating `last_ack` to
include all unACK'd data is no longer needed.

For raw stream inspection, the detection engine will already include the
unACK'd data on flow end.

For app-layer updates the unACK'd data is often harmful, as the data
often has GAPs. Parser like the http parser would report these GAPs and
could also get confused about the post-GAP data being a new transaction
including a file. This lead to many reported errors and fantom txs and
files.

Since the GAP detection uses `last_ack` to determine GAPs, not moving
`last_ack` addresses the GAP false positives.

Ticket: #7422.
  • Loading branch information
victorjulien committed Jan 10, 2025
1 parent 829ba7d commit bd1b9f6
Showing 1 changed file with 28 additions and 68 deletions.
96 changes: 28 additions & 68 deletions src/stream-tcp.c
Original file line number Diff line number Diff line change
Expand Up @@ -3062,32 +3062,6 @@ static int HandleEstablishedPacketToClient(
return 0;
}

/**
* \internal
*
* \brief Find the highest sequence number needed to consider all segments as ACK'd
*
* Used to treat all segments as ACK'd upon receiving a valid RST.
*
* \param stream stream to inspect the segments from
* \param seq sequence number to check against
*
* \retval ack highest ack we need to set
*/
static inline uint32_t StreamTcpResetGetMaxAck(TcpStream *stream, uint32_t seq)
{
uint32_t ack = seq;

if (STREAM_HAS_SEEN_DATA(stream)) {
const uint32_t tail_seq = STREAM_SEQ_RIGHT_EDGE(stream);
if (SEQ_GT(tail_seq, ack)) {
ack = tail_seq;
}
}

SCReturnUInt(ack);
}

static bool StreamTcpPacketIsZeroWindowProbeAck(const TcpSession *ssn, const Packet *p)
{
const TCPHdr *tcph = PacketGetTCP(p);
Expand Down Expand Up @@ -3309,10 +3283,9 @@ static int StreamTcpPacketStateEstablished(
ssn->client.window = window << ssn->client.wscale;

if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, window));
StreamTcpUpdateLastAck(ssn, &ssn->server, ack);

StreamTcpUpdateLastAck(ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, seq));
StreamTcpUpdateLastAck(ssn, &ssn->client, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand All @@ -3337,10 +3310,9 @@ static int StreamTcpPacketStateEstablished(
ssn->server.window = window << ssn->server.wscale;

if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->client, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, ack));
StreamTcpUpdateLastAck(ssn, &ssn->client, ack);

StreamTcpUpdateLastAck(ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, seq));
StreamTcpUpdateLastAck(ssn, &ssn->server, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand Down Expand Up @@ -3641,10 +3613,9 @@ static int StreamTcpPacketStateFinWait1(

if (PKT_IS_TOSERVER(p)) {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, ack));
StreamTcpUpdateLastAck(ssn, &ssn->server, ack);

StreamTcpUpdateLastAck(ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, seq));
StreamTcpUpdateLastAck(ssn, &ssn->client, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand All @@ -3653,10 +3624,9 @@ static int StreamTcpPacketStateFinWait1(
StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->client, p);
} else {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->client, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, ack));
StreamTcpUpdateLastAck(ssn, &ssn->client, ack);

StreamTcpUpdateLastAck(ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, seq));
StreamTcpUpdateLastAck(ssn, &ssn->server, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand Down Expand Up @@ -4085,10 +4055,9 @@ static int StreamTcpPacketStateFinWait2(

if (PKT_IS_TOSERVER(p)) {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, ack));
StreamTcpUpdateLastAck(ssn, &ssn->server, ack);

StreamTcpUpdateLastAck(ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, seq));
StreamTcpUpdateLastAck(ssn, &ssn->client, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand All @@ -4097,10 +4066,9 @@ static int StreamTcpPacketStateFinWait2(
StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->client, p);
} else {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->client, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, ack));
StreamTcpUpdateLastAck(ssn, &ssn->client, ack);

StreamTcpUpdateLastAck(ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, seq));
StreamTcpUpdateLastAck(ssn, &ssn->server, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand Down Expand Up @@ -4385,10 +4353,9 @@ static int StreamTcpPacketStateClosing(

if (PKT_IS_TOSERVER(p)) {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, ack));
StreamTcpUpdateLastAck(ssn, &ssn->server, ack);

StreamTcpUpdateLastAck(ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, seq));
StreamTcpUpdateLastAck(ssn, &ssn->client, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand All @@ -4397,10 +4364,9 @@ static int StreamTcpPacketStateClosing(
StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->client, p);
} else {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->client, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, ack));
StreamTcpUpdateLastAck(ssn, &ssn->client, ack);

StreamTcpUpdateLastAck(ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, seq));
StreamTcpUpdateLastAck(ssn, &ssn->server, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand Down Expand Up @@ -4560,10 +4526,9 @@ static int StreamTcpPacketStateCloseWait(

if (PKT_IS_TOSERVER(p)) {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, ack));
StreamTcpUpdateLastAck(ssn, &ssn->server, ack);

StreamTcpUpdateLastAck(ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, seq));
StreamTcpUpdateLastAck(ssn, &ssn->client, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand All @@ -4572,10 +4537,9 @@ static int StreamTcpPacketStateCloseWait(
StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->client, p);
} else {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->client, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, ack));
StreamTcpUpdateLastAck(ssn, &ssn->client, ack);

StreamTcpUpdateLastAck(ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, seq));
StreamTcpUpdateLastAck(ssn, &ssn->server, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand Down Expand Up @@ -4845,10 +4809,9 @@ static int StreamTcpPacketStateLastAck(

if (PKT_IS_TOSERVER(p)) {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, ack));
StreamTcpUpdateLastAck(ssn, &ssn->server, ack);

StreamTcpUpdateLastAck(ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, seq));
StreamTcpUpdateLastAck(ssn, &ssn->client, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand All @@ -4857,10 +4820,9 @@ static int StreamTcpPacketStateLastAck(
StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->client, p);
} else {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->client, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, ack));
StreamTcpUpdateLastAck(ssn, &ssn->client, ack);

StreamTcpUpdateLastAck(ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, seq));
StreamTcpUpdateLastAck(ssn, &ssn->server, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand Down Expand Up @@ -4968,10 +4930,9 @@ static int StreamTcpPacketStateTimeWait(

if (PKT_IS_TOSERVER(p)) {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, ack));
StreamTcpUpdateLastAck(ssn, &ssn->server, ack);

StreamTcpUpdateLastAck(ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, seq));
StreamTcpUpdateLastAck(ssn, &ssn->client, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand All @@ -4980,10 +4941,9 @@ static int StreamTcpPacketStateTimeWait(
StreamTcpReassembleHandleSegment(tv, stt->ra_ctx, ssn, &ssn->client, p);
} else {
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->client, p) == 0)
StreamTcpUpdateLastAck(
ssn, &ssn->client, StreamTcpResetGetMaxAck(&ssn->client, ack));
StreamTcpUpdateLastAck(ssn, &ssn->client, ack);

StreamTcpUpdateLastAck(ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, seq));
StreamTcpUpdateLastAck(ssn, &ssn->server, seq);

if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
Expand Down

0 comments on commit bd1b9f6

Please sign in to comment.