flow-timeout: fix memory errors on flow bypass

For flow bypass, the flow timeout handling is triggered which may
create up to 3 pseudo packets that hold a reference to the flow.
However, in the bypass case the code signaled to the timeout logic
that the flow can be freed unconditionally by returning 1. This
lead to packets going through the engine with a pointer to a now
freed/recycled flow.

This patch fixes the logic by removing the special bypass case,
which seemed redundant anyway. Effectively reverts 68d9677.

Bug #1928.

diff --git a/src/flow-manager.c b/src/flow-manager.c
index a1e78b82bb9a898b88ea71fbde12948511e6c622..87292d876d5b7e60b2a28fecbcee01a51ec4502d 100644 (file)
--- a/src/flow-manager.c
+++ b/src/flow-manager.c
@@ -266,15 +266,6 @@ static int FlowManagerFlowTimedOut(Flow *f, struct timeval *ts)
 
     int server = 0, client = 0;
 
-    int state = SC_ATOMIC_GET(f->flow_state);
-    if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
-            (state == FLOW_STATE_CAPTURE_BYPASSED)) {
-        if (FlowForceReassemblyNeedReassembly(f, &server, &client) == 1) {
-            FlowForceReassemblyForFlow(f, server, client);
-        }
-        return 1;
-    }
-
     if (!(f->flags & FLOW_TIMEOUT_REASSEMBLY_DONE) &&
             FlowForceReassemblyNeedReassembly(f, &server, &client) == 1) {
         FlowForceReassemblyForFlow(f, server, client);