From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 16 Jul 2021 12:22:28 +0000 (+0200)
Subject: protodetect: opposing side cannot change protocol
X-Git-Tag: suricata-6.0.4~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36e6d632df258abcf133be3b50144311e6212a1d;p=thirdparty%2Fsuricata.git

protodetect: opposing side cannot change protocol

Ticket: #4562

As the data which triggered the opposing side
was the same protocol and not another one,
that means the protocol change failed.

Prevents a memory leak in later call of AppLayerParserParse
which would allocate a new state and leak the old one

(cherry picked from commit be617a3c1b25a7a4b1acdc7b65d3733d4f48a1f9)
---

diff --git a/src/app-layer.c b/src/app-layer.c
index a01b44c1cb..0b4f384f75 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -397,6 +397,15 @@ static int TCPProtoDetect(ThreadVars *tv,
                 DisableAppLayer(tv, f, p);
                 SCReturnInt(-1);
             }
+            if (FlowChangeProto(f)) {
+                /* We have the first data which requested a protocol change from P1 to P2
+                 * even if it was not recognized at first as being P1
+                 * As the second data was recognized as P1, the protocol did not change !
+                 */
+                FlowUnsetChangeProtoFlag(f);
+                AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
+                                                 APPLAYER_UNEXPECTED_PROTOCOL);
+            }
         }
 
         /* if the parser operates such that it needs to see data from