tcp: fix unlikely NULL-ptr dereference

If a TCP packet could not get a flow (flow engine out of flows/memory)
and there were *only* TCP inspecting rules with the direction
explicitly set to 'to_server', a NULL pointer deref could happen.

PacketPatternSearchWithStreamCtx would fall through to the 'to_client'
case which was not initialized.

diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c
index 5a21823ce845b30e7ed24b227e5d64178fb3d172..9d1a9fc162ab2fb57325c441ef6721c391fa59dc 100644 (file)
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@@ -183,20 +183,25 @@ uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx,
     SCEnter();
 
     uint32_t ret = 0;
+    MpmCtx *mpm_ctx = NULL;
 
     if (p->flowflags & FLOW_PKT_TOSERVER) {
         DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL);
 
-        ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
-            Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtc, &det_ctx->pmq,
-                   p->payload, p->payload_len);
+        mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts;
+
     } else {
         DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL);
 
-        ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
-            Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtc, &det_ctx->pmq,
-                   p->payload, p->payload_len);
+        mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc;
     }
+    if (unlikely(mpm_ctx == NULL)) {
+        SCReturnInt(0);
+    }
+
+    ret = mpm_table[mpm_ctx->mpm_type].
+        Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
+                p->payload, p->payload_len);
 
     SCReturnInt(ret);
 }