detect/files: don't prune files for bad packets

A bad packet (rejected by stream engine) could still trigger a file
prune, even though (most of the) detection wouldn't happen for the
packet. The next valid packet would then not be able to match on the
file, as it was already freed.

This patch uses the same logic before file pruning as in the detect
engine.

Bug: 2576

diff --git a/src/output-file.c b/src/output-file.c
index d05ffd4d403048a17a076ee2fe5cbf3eb8094d90..013dc0ae10a09a2bb8680bab6740af0880a8ea60 100644 (file)
--- a/src/output-file.c
+++ b/src/output-file.c
@@ -176,7 +176,14 @@ static TmEcode OutputFileLog(ThreadVars *tv, Packet *p, void *thread_data)
             }
         }
 
-        FilePrune(ffc);
+        /* only prune for accepted packets, as detection might skip
+         * inspection. */
+        if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
+                (p->proto == IPPROTO_UDP) ||
+                (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
+        {
+            FilePrune(ffc);
+        }
     }
 
     return TM_ECODE_OK;