[7/7] suricata: Handle retransmitted SYN with TSval

Message ID 20211119174458.789486-7-michael.tremer@ipfire.org
State Accepted
Commit 73d18835c0a4609fd46e81c4a8b43270bd9b6bc8
Headers show
Series [1/7] suricata: Include all default rules | expand

Commit Message

Michael Tremer Nov. 19, 2021, 5:44 p.m. UTC
Read more in the patch.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/suricata                                  |  1 +
 ...-Handle-retransmitted-SYN-with-TSval.patch | 55 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch

Patch

diff --git a/lfs/suricata b/lfs/suricata
index 38289962f..b54a038c3 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -70,6 +70,7 @@  $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
 	cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
 		--prefix=/usr \
 		--sysconfdir=/etc \
diff --git a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
new file mode 100644
index 000000000..fcea77cfa
--- /dev/null
+++ b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
@@ -0,0 +1,55 @@ 
+From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 19 Nov 2021 17:17:47 +0000
+Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval
+
+For connections that use TCP timestamps for which the first SYN packet
+does not reach the server, any replies to retransmitted SYNs will be
+tropped.
+
+This is happening in StateSynSentValidateTimestamp, where the timestamp
+value in a SYN-ACK packet must match the one from the SYN packet.
+However, since the server never received the first SYN packet, it will
+respond with an updated timestamp from any of the following SYN packets.
+
+The timestamp value inside suricata is not being updated at any time
+which should happen. This patch fixes that problem.
+
+This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/stream-tcp.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/stream-tcp.c b/src/stream-tcp.c
+index 1cff19fa5..af681760b 100644
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -1643,6 +1643,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
+                     "ssn->client.last_ack %"PRIu32"", ssn,
+                     ssn->client.isn, ssn->client.next_seq,
+                     ssn->client.last_ack);
++        } else if (PKT_IS_TOSERVER(p)) {
++            /*
++	     * On retransmitted SYN packets, the timestamp value must be updated,
++	     * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
++	     * with an updated timestamp in StateSynSentValidateTimestamp.
++	     */
++            if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
++                uint32_t ts_val = TCP_GET_TSVAL(p);
++
++                // Check whether packets have been received in the correct order (only ever update)
++                if (ssn->client.last_ts < ts_val) {
++                    ssn->client.last_ts = ts_val;
++                    ssn->client.last_pkt_ts = p->ts.tv_sec;
++                }
++
++                SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
++            }
+         }
+ 
+         /** \todo check if it's correct or set event */
+-- 
+2.30.2
+