stream/midstream: fix double flow reverse case

In the case of midstream SYN/ACK pickup, we reverse the flow based on the SYN/ACK. If we then later get traffic that appears to be in the reverse direction based on the app-layer, we would reverse it again. This isn't correct. When we have the SYN/ACK we know the flow's real direction.
3 years ago · fea374626a
parent 2a7349406c
commit fea374626a
1 changed files with 3 additions and 1 deletions
--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -403,7 +403,9 @@ static int TCPProtoDetect(ThreadVars *tv,
        /* if protocol detection indicated that we need to reverse
         * the direction of the flow, do it now. We flip the flow,
         * packet and the direction flags */
-        if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
+        if (reverse_flow &&
+                ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
+                        STREAMTCP_FLAG_MIDSTREAM)) {
            /* but only if we didn't already detect it on the other side. */
            if (*alproto_otherdir == ALPROTO_UNKNOWN) {
                SCLogDebug("reversing flow after proto detect told us so");