mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
6fbebc5e94
In https://github.com/zeek/zeek/pull/2191, we added endpoint flipping for cases where a connection starts with a SYN/ACK followed by ACK or data. The goal was to treat the connection as productive and go ahead and parse it. But the TCP analyzer could continue to consider it partial after flipping, meaning that app layers would bail out. #2426 shows such a case: HTTP gets correctly activated after flipping through content inspection, but it won't process anything because `IsPartial()` returns true. As the is-partial state reflects whether we saw the first packets each in direction, this patch now overrides that state for the originally missing SYN after flipping. We actually had the same problem at a couple of other locations already as well. One of that only happened to work because of the originally inconsistent state flipping that was fixed in the previous commit. The corresponding unit test now broke after that change. This commit updates that logic as well to override the state. This fix is a bit of a hack, but the best solution I could think of without introducing larger changes. Closes #2426. |
||
|---|---|---|
| .. | ||
| fin_retransmission.pcap | ||
| handshake-reorder.trace | ||
| http-on-irc-port-missing-syn.pcap | ||
| miss_end_data.pcap | ||
| missing-syn.pcap | ||
| no-handshake.pcap | ||
| option-27.pcap | ||
| option-sack.pcap | ||
| options.pcap | ||
| payload-syn.pcap | ||
| payload-synack.pcap | ||
| qi_internet_SYNACK_curl_jsonip.pcap | ||
| reassembly.pcap | ||
| retransmit-fast009.trace | ||
| rst-inject-rae.trace | ||
| single-rst.pcap | ||
| ssh-dups.pcap | ||
| syn-synack.pcap | ||
| syn-then-ack-then-rst.pcap | ||
| syn-then-rst.pcap | ||
| syn-then-stuff-then-rst.pcap | ||
| syn.pcap | ||
| tcp-fast-open.pcap | ||
| timestamp.pcap | ||
| truncated-header.pcap | ||