stream-tcp: fix error handling in segment pool

When TcpSegmentPoolInit fails (e.g. because of a too low memcap),
it would free the segment. However, the segment memory is managed
by the Pool API, which would also free the same memory location.
This patch fixes that.

Also, memset the structure before any checks are done, as the segment
memory is passed to TcpSegmentPoolCleanup in case of error as well.

Bug #1108

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 21fc982127f9f60f4902b01db98d0716d9b28709..4c9baaba52e9104fc5e7fd71ccf35193accbf490 100644 (file)
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -174,19 +174,19 @@ int TcpSegmentPoolInit(void *data, void *payload_len)
     TcpSegment *seg = (TcpSegment *) data;
     uint16_t size = *((uint16_t *) payload_len);
 
+    /* do this before the can bail, so TcpSegmentPoolCleanup
+     * won't have uninitialized memory to consider. */
+    memset(seg, 0, sizeof (TcpSegment));
+
     if (StreamTcpReassembleCheckMemcap((uint32_t)size + (uint32_t)sizeof(TcpSegment)) == 0) {
-        SCFree(seg);
         return 0;
     }
 
-    memset(seg, 0, sizeof (TcpSegment));
-
     seg->pool_size = size;
     seg->payload_len = seg->pool_size;
 
     seg->payload = SCMalloc(seg->payload_len);
     if (seg->payload == NULL) {
-        SCFree(seg);
         return 0;
     }