From: Victor Julien <victor@inliniac.net>
Date: Wed, 26 Feb 2014 14:14:14 +0000 (+0100)
Subject: stream-tcp: fix error handling in segment pool
X-Git-Tag: suricata-2.0rc2~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e38347d995c401a375c8f6160566784465b7873;p=thirdparty%2Fsuricata.git

stream-tcp: fix error handling in segment pool

When TcpSegmentPoolInit fails (e.g. because of a too low memcap),
it would free the segment. However, the segment memory is managed
by the Pool API, which would also free the same memory location.
This patch fixes that.

Also, memset the structure before any checks are done, as the segment
memory is passed to TcpSegmentPoolCleanup in case of error as well.

Bug #1108
---

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 21fc982127..4c9baaba52 100644
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -174,19 +174,19 @@ int TcpSegmentPoolInit(void *data, void *payload_len)
     TcpSegment *seg = (TcpSegment *) data;
     uint16_t size = *((uint16_t *) payload_len);
 
+    /* do this before the can bail, so TcpSegmentPoolCleanup
+     * won't have uninitialized memory to consider. */
+    memset(seg, 0, sizeof (TcpSegment));
+
     if (StreamTcpReassembleCheckMemcap((uint32_t)size + (uint32_t)sizeof(TcpSegment)) == 0) {
-        SCFree(seg);
         return 0;
     }
 
-    memset(seg, 0, sizeof (TcpSegment));
-
     seg->pool_size = size;
     seg->payload_len = seg->pool_size;
 
     seg->payload = SCMalloc(seg->payload_len);
     if (seg->payload == NULL) {
-        SCFree(seg);
         return 0;
     }