tcp: don't set event on empty SACK opt

TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless an empty SACK is not uncommon. Seen on an iOS device talking to an Apple server. Bug #3254.
5 years ago · fb26268c6b
parent aae76a84cd
commit fb26268c6b
1 changed files with 3 additions and 2 deletions
--- a/src/decode-tcp.c
+++ b/src/decode-tcp.c
@ -138,9 +138,10 @@ static void DecodeTCPOptions(Packet *p, const uint8_t *pkt, uint16_t pktlen)
                    break;
                case TCP_OPT_SACK:
                    SCLogDebug("SACK option, len %u", olen);
-                    if (olen < TCP_OPT_SACK_MIN_LEN ||
+                    if ((olen != 2) &&
+                           (olen < TCP_OPT_SACK_MIN_LEN ||
                            olen > TCP_OPT_SACK_MAX_LEN ||
-                            !((olen - 2) % 8 == 0))
+                            !((olen - 2) % 8 == 0)))
                    {
                        ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
                    } else {