From b6fed6d431bb09b573555b2560eb805a59cd91ec Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 25 Aug 2020 14:08:37 +0200
Subject: [PATCH] stream: fix GAP size

Fix GAPs sizes sometimes exceeding the ACK'd data size.
---
 src/stream-tcp-reassemble.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index f0c4f9fa3f..17c2168026 100644
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -1092,11 +1092,14 @@ static int ReassembleUpdateAppLayer (ThreadVars *tv,
     const uint8_t *mydata;
     uint32_t mydata_len;
     bool gap_ahead = false;
+    const uint8_t flags = StreamGetAppLayerFlags(ssn, *stream, p);
 
     while (1) {
         bool check_for_gap_ahead = ((*stream)->data_required > 0);
         gap_ahead = GetAppBuffer(*stream, &mydata, &mydata_len,
                 app_progress, check_for_gap_ahead);
+        /* make sure to only deal with ACK'd data */
+        mydata_len = AdjustToAcked(p, ssn, *stream, app_progress, mydata_len);
         DEBUG_VALIDATE_BUG_ON(mydata_len > (uint32_t)INT_MAX);
         if (mydata == NULL && mydata_len > 0 && CheckGap(ssn, *stream, p)) {
             SCLogDebug("sending GAP to app-layer (size: %u)", mydata_len);
@@ -1128,7 +1131,7 @@ static int ReassembleUpdateAppLayer (ThreadVars *tv,
                 break;
             continue;
 
-        } else if (mydata == NULL || mydata_len == 0) {
+        } else if (mydata == NULL || (mydata_len == 0 && ((flags & STREAM_EOF) == 0))) {
             /* Possibly a gap, but no new data. */
             if ((p->flags & PKT_PSEUDO_STREAM_END) == 0 || ssn->state < TCP_CLOSED)
                 SCReturnInt(0);
@@ -1142,12 +1145,6 @@ static int ReassembleUpdateAppLayer (ThreadVars *tv,
         SCLogDebug("stream %p data in buffer %p of len %u and offset %"PRIu64,
                 *stream, &(*stream)->sb, mydata_len, app_progress);
 
-        const uint8_t flags = StreamGetAppLayerFlags(ssn, *stream, p);
-        /* get window of data that is acked */
-        mydata_len = AdjustToAcked(p, ssn, *stream, app_progress, mydata_len);
-        if (mydata_len == 0 && (flags & STREAM_EOF) == 0)
-            SCReturnInt(0);
-
         if ((p->flags & PKT_PSEUDO_STREAM_END) == 0 || ssn->state < TCP_CLOSED) {
             if (mydata_len < (*stream)->data_required) {
                 if (gap_ahead) {