From: Victor Julien <vjulien@oisf.net>
Date: Thu, 1 Jun 2023 08:57:08 +0000 (+0200)
Subject: detect: add check to validate drops
X-Git-Tag: suricata-6.0.13~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c2e6c4b8342f00c506ef466041f6f859ea6251c;p=thirdparty%2Fsuricata.git

detect: add check to validate drops

(cherry picked from commit 95bf7248e85d1c3179b4102c37f8845bcbc678b0)
---

diff --git a/src/detect.c b/src/detect.c
index 724679e9fa..8420189a1e 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1566,8 +1566,11 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
-    /* if flow is set to drop, we enforce that here */
+    /* we check the flow drop here, and not the packet drop. This is
+     * to allow stream engine "invalid" drop packets to still be
+     * evaluated by the stream event rules. */
     if (p->flow->flags & FLOW_ACTION_DROP) {
+        DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PACKET_TEST_ACTION(p, ACTION_DROP));
         SCReturn;
     }