stream: improve StreamTcpSegmentForEach for IPS

StreamTcpSegmentForEach would only return ACK'd segments. This lead to missing stream data in alerts when running in IPS mode. This patch changes the behavior for IPS. All segments are iterated now, also the non-ACK'd ones. For IDS mode the behavior is unchanged.
10 years ago · b93a302a5b
parent 3a9bcd6a53
commit b93a302a5b
1 changed files with 7 additions and 3 deletions
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -5920,8 +5920,8 @@ void StreamTcpPseudoPacketCreateStreamEndPacket(ThreadVars *tv, StreamTcpThread
 /**
 * \brief Run callback function on each TCP segment
 *
- * This function is used by StreamMsgForEach() which
- * should be used directly.
+ * \note when stream engine is running in inline mode all segments are used,
+ *       in IDS/non-inline mode only ack'd segments are iterated.
 *
 * \return -1 in case of error, the number of segment in case of success
 *
@ -5949,8 +5949,12 @@ int StreamTcpSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback
    } else {
        stream = &(ssn->client);
    }
+
+    /* for IDS, return ack'd segments. For IPS all. */
    TcpSegment *seg = stream->seg_list;
-    for (; seg != NULL && SEQ_LT(seg->seq, stream->last_ack);) {
+    for (; seg != NULL &&
+            (stream_inline || SEQ_LT(seg->seq, stream->last_ack));)
+    {
        ret = CallbackFunc(p, data, seg->payload, seg->payload_len);
        if (ret != 1) {
            SCLogDebug("Callback function has failed");