defrag: fix bad packet error handling

When defrag creates a new reassembled IP packet, it then passes this
packet to the IP decoder. If this decoder returns an error the packet
is returned back to the packet pool with a call to TmqhOutputPacketpool

This lead to the first problem. The returned packet had it's p->root
pointer set, and it's PKT_TUNNEL flag set. This could cause problems
in TmqhOutputPacketpool, as this may reference the packet referenced
in p->root.

The second and more glaring problem is that the packet that was
returned to the packetpool, was still returned by the Defrag function
and processed further. It would then at the end of it's processing
be returned to the packet pool, which at this point already had a
reference to this packet.

This patch fixes both issues by unsetting the tunnel references and
returning NULL from Defrag in this case.

diff --git a/src/defrag.c b/src/defrag.c
index 484a0994d625cdf5b8b82d8d53b90792fd60a532..f3de97edd9a3e72a37e57fdf259e5301c1978965 100644 (file)
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -783,7 +783,11 @@ insert:
                 StatsIncr(tv, dtv->counter_defrag_ipv4_reassembled);
                 if (pq && DecodeIPV4(tv, dtv, r, (void *)r->ip4h,
                                IPV4_GET_IPLEN(r), pq) != TM_ECODE_OK) {
+
+                    UNSET_TUNNEL_PKT(r);
+                    r->root = NULL;
                     TmqhOutputPacketpool(tv, r);
+                    r = NULL;
                 } else {
                     PacketDefragPktSetupParent(p);
                 }
@@ -796,7 +800,11 @@ insert:
                 if (pq && DecodeIPV6(tv, dtv, r, (uint8_t *)r->ip6h,
                                IPV6_GET_PLEN(r) + IPV6_HEADER_LEN,
                                pq) != TM_ECODE_OK) {
+
+                    UNSET_TUNNEL_PKT(r);
+                    r->root = NULL;
                     TmqhOutputPacketpool(tv, r);
+                    r = NULL;
                 } else {
                     PacketDefragPktSetupParent(p);
                 }