From: Victor Julien <victor@inliniac.net>
Date: Wed, 19 Oct 2016 10:52:46 +0000 (+0200)
Subject: flow-timeout: fix memory errors on flow bypass
X-Git-Tag: suricata-3.2RC1~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2367%2Fhead;p=thirdparty%2Fsuricata.git

flow-timeout: fix memory errors on flow bypass

For flow bypass, the flow timeout handling is triggered which may
create up to 3 pseudo packets that hold a reference to the flow.
However, in the bypass case the code signaled to the timeout logic
that the flow can be freed unconditionally by returning 1. This
lead to packets going through the engine with a pointer to a now
freed/recycled flow.

This patch fixes the logic by removing the special bypass case,
which seemed redundant anyway. Effectively reverts 68d9677.

Bug #1928.
---

diff --git a/src/flow-manager.c b/src/flow-manager.c
index a1e78b82bb..87292d876d 100644
--- a/src/flow-manager.c
+++ b/src/flow-manager.c
@@ -266,15 +266,6 @@ static int FlowManagerFlowTimedOut(Flow *f, struct timeval *ts)
 
     int server = 0, client = 0;
 
-    int state = SC_ATOMIC_GET(f->flow_state);
-    if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
-            (state == FLOW_STATE_CAPTURE_BYPASSED)) {
-        if (FlowForceReassemblyNeedReassembly(f, &server, &client) == 1) {
-            FlowForceReassemblyForFlow(f, server, client);
-        }
-        return 1;
-    }
-
     if (!(f->flags & FLOW_TIMEOUT_REASSEMBLY_DONE) &&
             FlowForceReassemblyNeedReassembly(f, &server, &client) == 1) {
         FlowForceReassemblyForFlow(f, server, client);