handle FIN flag in order of the sequence numbers

matthiasklein · matthiasklein · commit 3ab1a3a59f92 · 2025-10-23T08:02:11.000+02:00
Signed-off-by: Matthias Klein &lt;matthias@extraklein.de&gt;
diff --git a/Packet++/header/TcpReassembly.h b/Packet++/header/TcpReassembly.h
@@ -404,9 +404,11 @@ namespace pcpp
 			uint32_t sequence;
 			size_t dataLength;
 			uint8_t* data;
+			uint32_t flowKey;
+			bool isFin;
 			std::chrono::time_point<std::chrono::high_resolution_clock> timestamp;
 
-			TcpFragment() : sequence(0), dataLength(0), data(nullptr)
+			TcpFragment() : sequence(0), dataLength(0), data(nullptr), flowKey(0), isFin(false)
 			{}
 			~TcpFragment()
 			{
diff --git a/Packet++/src/TcpReassembly.cpp b/Packet++/src/TcpReassembly.cpp
@@ -268,10 +268,10 @@ namespace pcpp
 			return Ignore_PacketOfClosedFlow;
 		}
 
-		// handle FIN/RST packets that don't contain additional TCP data
-		if (isFinOrRst && tcpPayloadSize == 0)
+		// handle RST packets that don't contain additional TCP data
+		if (isRst && tcpPayloadSize == 0)
 		{
-			PCPP_LOG_DEBUG("Got FIN or RST packet without data on side " << sideIndex);
+			PCPP_LOG_DEBUG("Got RST packet without data on side " << sideIndex);
 
 			handleFinOrRst(tcpReassemblyData, sideIndex, flowKey, isRst);
 			return FIN_RSTWithNoData;
@@ -441,27 +441,36 @@ namespace pcpp
 			{
 				PCPP_LOG_DEBUG("Payload length is 0, doing nothing");
 
-				// handle case where this packet is FIN or RST
-				if (isFinOrRst)
+				// handle case where this packet is RST
+				if (isRst)
 				{
 					handleFinOrRst(tcpReassemblyData, sideIndex, flowKey, isRst);
 					status = FIN_RSTWithNoData;
+					return status;
 				}
-				else
+
+                if(!isFin)
 				{
 					status = Ignore_PacketWithNoData;
-				}
-
-				return status;
+					return status;
+                }
 			}
 
 			// create a new TcpFragment, copy the TCP data to it and add this packet to the the out-of-order packet list
 			TcpFragment* newTcpFrag = new TcpFragment();
-			newTcpFrag->data = new uint8_t[tcpPayloadSize];
+
+            if(tcpPayloadSize)
+            {
+                newTcpFrag->data = new uint8_t[tcpPayloadSize];
+                memcpy(newTcpFrag->data, tcpLayer->getLayerPayload(), tcpPayloadSize);
+            }
+
 			newTcpFrag->dataLength = tcpPayloadSize;
 			newTcpFrag->sequence = sequence;
 			newTcpFrag->timestamp = currTime;
-			memcpy(newTcpFrag->data, tcpLayer->getLayerPayload(), tcpPayloadSize);
+			newTcpFrag->isFin = isFin;
+			newTcpFrag->flowKey = flowKey;
+
 			tcpReassemblyData->twoSides[sideIndex].tcpFragmentList.pushBack(newTcpFrag);
 
 			PCPP_LOG_DEBUG("Found out-of-order packet and added a new TCP fragment with size "
@@ -476,8 +485,8 @@ namespace pcpp
 				checkOutOfOrderFragments(tcpReassemblyData, sideIndex, false);
 			}
 
-			// handle case where this packet is FIN or RST
-			if (isFinOrRst)
+			// handle case where this packet is RST
+			if (isRst)
 			{
 				handleFinOrRst(tcpReassemblyData, sideIndex, flowKey, isRst);
 			}
@@ -580,6 +589,12 @@ namespace pcpp
 
 						foundSomething = true;
 
+                        if(curTcpFrag->isFin)
+                        {
+                            PCPP_LOG_DEBUG("handle saved FIN flag on sequence match");
+                            handleFinOrRst(tcpReassemblyData, sideIndex, curTcpFrag->flowKey, false);
+                        }
+
 						continue;
 					}
 
@@ -616,6 +631,12 @@ namespace pcpp
 							}
 
 							foundSomething = true;
+
+                            if(curTcpFrag->isFin)
+                            {
+                                PCPP_LOG_DEBUG("handle saved FIN flag on lower sequence");
+                                handleFinOrRst(tcpReassemblyData, sideIndex, curTcpFrag->flowKey, false);
+                            }
 						}
 						else
 						{
diff --git a/Tests/Pcap++Test/PcapExamples/one_http_stream_fin2_output2.txt b/Tests/Pcap++Test/PcapExamples/one_http_stream_fin2_output2.txt
diff --git a/Tests/Pcap++Test/Tests/TcpReassemblyTests.cpp b/Tests/Pcap++Test/Tests/TcpReassemblyTests.cpp
@@ -721,13 +721,13 @@ PTF_TEST_CASE(TestTcpReassemblyWithFIN_RST)
 	tcpReassemblyTest(packetStream, tcpReassemblyResults, true, false);
 
 	PTF_ASSERT_EQUAL(stats.size(), 1);
-	PTF_ASSERT_EQUAL(stats.begin()->second.numOfDataPackets, 5);
+	PTF_ASSERT_EQUAL(stats.begin()->second.numOfDataPackets, 6);
 	PTF_ASSERT_EQUAL(stats.begin()->second.numOfMessagesFromSide[0], 1);
 	PTF_ASSERT_EQUAL(stats.begin()->second.numOfMessagesFromSide[1], 1);
 	PTF_ASSERT_TRUE(stats.begin()->second.connectionsStarted);
 	PTF_ASSERT_TRUE(stats.begin()->second.connectionsEnded);
 	PTF_ASSERT_FALSE(stats.begin()->second.connectionsEndedManually);
-	expectedReassemblyData = readFileIntoString(std::string("PcapExamples/one_http_stream_fin2_output2.txt"));
+	expectedReassemblyData = readFileIntoString(std::string("PcapExamples/one_http_stream_fin2_output.txt"));
 	PTF_ASSERT_EQUAL(expectedReassemblyData, stats.begin()->second.reassembledData);
 }  // TestTcpReassemblyWithFIN_RST
 
