Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush

[Russ <rucombs () cisco com>]

Will check it out, thanks!

On 12/16/16 5:58 AM, hey wrote:
> Thanks for the reply and the RFC.
>
> The issue affects snort 2.9.9.0 too. The one-line patch below makes
> PAF skip urgent data, please let me know if you see any problem with
> it.
>
>
> Thanks,
>
> -----------------
> From: "Pierre Nicolas-Nicolaz, Future Systems"
> Date: Fri, 16 Dec 2016 10:33:24 +0000
> Subject: [PATCH] Make PAF skip urgent data
>
> ---
>   src/preprocessors/Stream6/snort_stream_tcp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/preprocessors/Stream6/snort_stream_tcp.c
> b/src/preprocessors/Stream6/snort_stream_tcp.c
> index 1280d1e..e18b628 100644
> --- a/src/preprocessors/Stream6/snort_stream_tcp.c
> +++ b/src/preprocessors/Stream6/snort_stream_tcp.c
> @@ -9753,7 +9753,7 @@ static inline uint32_t flush_pdu_ips (
> StreamTcpConfig *config, TcpSession *ssn,
>           wire_packet = pkt;
>           flush_policy_for_dir = trk->flush_mgr.flush_policy;
>           flush_pt = s5_paf_check( config->paf_config, &trk->paf_state, ssn->scb,
> -                                 seg->payload, size, total, seg->seq, srv_port,
> +                                 seg->payload+seg->urg_offset, size,
> total, seg->seq, srv_port,
>                                    flags, trk->flush_mgr.flush_pt);
>           if (*flags & PKT_PURGE)
>           {


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!