detect: fix FP on ICMP unreachable errors

ICMP unreachable errors are linked to the flow they send an error for.
This would lead to the detection engine calling the TX inspection
engines on them.

The stream inspect engine would default to a match for non-UDP
and non-TCP as for ICMP we're not expected to use a TX inspect engine
for stream data.

This all would lead to a false positive match.

This patch fixes this by making sure the TX engines are not called if
the packet protocol and flow protocol are not the same.

Bug #2841.

diff --git a/src/detect.c b/src/detect.c
index 9efd7917138c2dbda27999dc009a7947118d17fd..d66d49e70c8912ea32f6a426e7ee3802d0e1c13c 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -135,8 +135,8 @@ static void DetectRun(ThreadVars *th_v,
     DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
     PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
 
-    /* run tx/state inspection */
-    if (pflow && pflow->alstate) {
+    /* run tx/state inspection. Don't call for ICMP error msgs. */
+    if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) {
         PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
         DetectRunTx(th_v, de_ctx, det_ctx, p, pflow, &scratch);
         PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);