defrag: fix potential use after free.

Coverity pointed out that PoolReturn is almost like free and detected
a use after free when accessing to tracker->af (issue 720339).
This patch fixes this by storing the value in a local variable.

diff --git a/src/defrag.c b/src/defrag.c
index f78d5b19c5d879ca2daa164ad780d43fd3fdabce..0e017c677b8fb841eab8c2be35a4e5cb11e843c6 100644 (file)
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -1042,16 +1042,17 @@ DefragTimeoutTracker(ThreadVars *tv, DecodeThreadVars *dtv, DefragContext *dc,
         tracker = HashListTableGetListData(next);
 
         if (tracker->timeout < (unsigned int)p->ts.tv_sec) {
+            int af_family = tracker->af;
             /* Tracker has timeout out. */
             HashListTableRemove(dc->frag_table, tracker, HASHLIST_NO_SIZE);
             DefragTrackerReset(tracker);
             PoolReturn(dc->tracker_pool, tracker);
             if (tv != NULL && dtv != NULL) {
-                if (tracker->af == AF_INET) {
+                if (af_family == AF_INET) {
                     SCPerfCounterIncr(dtv->counter_defrag_ipv4_timeouts,
                         tv->sc_perf_pca);
                 }
-                else if (tracker->af == AF_INET6) {
+                else if (af_family == AF_INET6) {
                     SCPerfCounterIncr(dtv->counter_defrag_ipv6_timeouts,
                         tv->sc_perf_pca);
                 }