From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 29 Nov 2021 09:59:10 +0000 (+0100)
Subject: ftp: do not set alproto if one was already found
X-Git-Tag: suricata-7.0.0-beta1~1121
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dd32238667f08c7211ae4fa27cfe43af7cffd52d;p=thirdparty%2Fsuricata.git

ftp: do not set alproto if one was already found

Ticket: 4857

If a pattern such as GET is seen ine the beginning of the
file transferred over ftp-data, this flow will get recognized
as HTTP, and a HTTP state will be created during parsing.

Thus, we cannot override directly alproto's values

This solves the segfault, but not the logical bug that the flow
should be classified as FTP-DATA instead of HTTP
---

diff --git a/src/app-layer-expectation.c b/src/app-layer-expectation.c
index 06c74f263c..1f11d13f77 100644
--- a/src/app-layer-expectation.c
+++ b/src/app-layer-expectation.c
@@ -324,8 +324,12 @@ AppProto AppLayerExpectationHandle(Flow *f, uint8_t flags)
         if ((exp->direction & flags) && ((exp->sp == 0) || (exp->sp == f->sp)) &&
                 ((exp->dp == 0) || (exp->dp == f->dp))) {
             alproto = exp->alproto;
-            f->alproto_ts = alproto;
-            f->alproto_tc = alproto;
+            if (f->alproto_ts == ALPROTO_UNKNOWN) {
+                f->alproto_ts = alproto;
+            }
+            if (f->alproto_tc == ALPROTO_UNKNOWN) {
+                f->alproto_tc = alproto;
+            }
             void *fdata = FlowGetStorageById(f, g_flow_expectation_id);
             if (fdata) {
                 /* We already have an expectation so let's clean this one */