Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixing productive connections with missing SYN still considered partial after flipping direction.

Browse source 
In https://github.com/zeek/zeek/pull/2191, we added endpoint flipping
for cases where a connection starts with a SYN/ACK followed by ACK or
data. The goal was to treat the connection as productive and go ahead
and parse it. But the TCP analyzer could continue to consider it
partial after flipping, meaning that app layers would bail out. #2426
shows such a case: HTTP gets correctly activated after flipping
through content inspection, but it won't process anything because
`IsPartial()` returns true. As the is-partial state reflects
whether we saw the first packets each in direction, this patch now
overrides that state for the originally missing SYN after flipping.

We actually had the same problem at a couple of other locations already
as well. One of that only happened to work because of the originally
inconsistent state flipping that was fixed in the previous commit. The
corresponding unit test now broke after that change. This commit
updates that logic as well to override the state.

This fix is a bit of a hack, but the best solution I could think of
without introducing larger changes.

Closes #2426.
This commit is contained in:
Robin Sommer 2022-11-08 13:25:59 +01:00
parent 0ef709ae7c
commit 6fbebc5e94
No known key found for this signature in database
GPG key ID: D8187293B3FFE5D0
6 changed files with 27 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
View file

@ -787,6 +787,11 @@ void TCPSessionAdapter::SetPartialStatus(analyzer::tcp::TCP_Flags flags, bool is
}
}
void TCPSessionAdapter::SetFirstPacketSeen(bool is_orig)
{
first_packet_seen |= (is_orig ? ORIG : RESP);
}
void TCPSessionAdapter::UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, uint32_t base_seq,
uint32_t ack_seq, int len, bool is_orig,
@ -829,6 +834,7 @@ void TCPSessionAdapter::UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoin
is_partial = 0;
Conn()->FlipRoles();
peer->SetState(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
SetFirstPacketSeen(true);
}
else
@ -913,6 +919,7 @@ void TCPSessionAdapter::UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoin
// as partial and instead establish the connection.
endpoint->SetState(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
is_partial = 0;
SetFirstPacketSeen(is_orig);
}
else