CVE-2025-59147
From
e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
Take SEQ and ACK into account for more scenarios.
SYN on SYN_SENT
In this case the SYN packets with different SEQ and other properties are
queued up. Each packet updates the ssn to reflect the last packet to
come in. The old ssn data is added to a TcpStateQueue entry in
TcpSession::queue. If the max queue length is exceeded, the oldest entry
is evicted. The queue is actually a single linked list, where the list
head reflects the oldest entry.
SYN/ACK on SYN_SENT
In this case the first check is if the SYN/ACK matches the session. If
it doesn't, the queue is checked to see if there SYN's stored. If one is
found that matches, it is used and the session is updated to reflect
that.
SYN/ACK on SYN_RECV
SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
from the current packet. The old settings are stored in a TcpStateQueue
entry in the TcpSession::queue.
ACK on SYN_RECV
Checks any stored SYN/ACKs before checking the session. If a queued
SYN/ACK was sound, the session is updated to match it.
Ticket: #3844.
Ticket: #7657.
(cherry picked from commit
be6315dba0d9101b11d16e9dacfe2822b3792f1b)
Patch adjusted for Debian to fit for Suricata 7.0.10.
Origin: upstream, https://github.com/OISF/suricata/commit/
e91b03c90385db15e21cf1a0e85b921bf92b039e.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7852
Subject: Upstream fix for CVE-2025-59147
Gbp-Pq: Name CVE-2025-59147.patch
projects / suricata.git / commit