projects / suricata.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5717222) | patch
[PATCH] stream/tcp: don't reject on bad ack
authorEric Leblond <el@stamus-networks.com>
Fri, 28 May 2021 10:19:38 +0000 (12:19 +0200)
committerSascha Steinbiss <satta@debian.org>
Mon, 19 Jul 2021 11:26:22 +0000 (12:26 +0100)
commitfe725e855f40d1b1c4fc2b94cb8d63de7e522d89
tree7e2d77dd12eac1a244d5c25d6de0e62054cc09d6tree | snapshot
parent57172225d0ca1f6d757f8d478d7ff98bd0c92efccommit | diff
[PATCH] stream/tcp: don't reject on bad ack

Not using a packet for the streaming analysis when a non zero
ACK value and ACK bit was unset was leading to evasion as it was
possible to start a session with a SYN packet with a non zero ACK
value to see the full TCP stream to escape all stream and application
layer detection.

This addresses CVE-2021-35063.

Fixes: fa692df37 ("stream: reject broken ACK packets")
Ticket: #4504.

Gbp-Pq: Name stream-no-reject-bad-ack.patch
src/stream-tcp.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.