detect: fix crash when stream inspect runs on UDP

Certain rules can apply to both TCP and UDP. For example 'alert dns'
rules are inspected against both TCP and UDP. This lead to the
stream inspect engine being called on a UDP packet.

This patch fixes the issue by exiting early from the stream inspect
engine if a) proto is not TCP or b) ssn is not available

Bug #2158.

diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c
index 83f3c27912d737980482ca6dfc50ba77e96d4124..bb4567212750638dd49efbf739ff0becd4eada56 100644 (file)
--- a/src/detect-engine-payload.c
+++ b/src/detect-engine-payload.c
@@ -281,6 +281,14 @@ int DetectEngineInspectStream(ThreadVars *tv,
 {
     Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
 
+    /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
+     * we can get called for UDP. */
+    if (p->proto != IPPROTO_TCP)
+        return DETECT_ENGINE_INSPECT_SIG_MATCH;
+    TcpSession *ssn = f->protoctx;
+    if (ssn == NULL)
+        return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+
     if (det_ctx->stream_already_inspected)
         return det_ctx->stream_last_result;
 
@@ -291,7 +299,6 @@ int DetectEngineInspectStream(ThreadVars *tv,
             &unused);
 
     bool is_last = false;
-    TcpSession *ssn = f->protoctx;
     if (flags & STREAM_TOSERVER) {
         TcpStream *stream = &ssn->client;
         if (stream->flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED)