From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 27 Mar 2025 21:32:40 +0000 (-0600)
Subject: ndpi: ignore packets that have a different proto than the flow
X-Git-Tag: suricata-8.0.0-beta1~176
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81915548de4b157c66f2af8cbae2904dd36f49e0;p=thirdparty%2Fsuricata.git

ndpi: ignore packets that have a different proto than the flow

This can happen when the flow is UDP, but an ICMP unreachable is
returned, which gets assigned to the same flow.

Reference: https://github.com/ntop/nDPI/issues/2762
---

diff --git a/plugins/ndpi/ndpi.c b/plugins/ndpi/ndpi.c
index 60accf4576..2adddfaa1e 100644
--- a/plugins/ndpi/ndpi.c
+++ b/plugins/ndpi/ndpi.c
@@ -101,6 +101,12 @@ static void OnFlowUpdate(ThreadVars *tv, Flow *f, Packet *p, void *_data)
         return;
     }
 
+    /* Ignore packets that have a different protocol than the
+     * flow. This can happen with ICMP unreachable packets. */
+    if (p->proto != f->proto) {
+        return;
+    }
+
     if (PacketIsIPv4(p)) {
         const IPV4Hdr *ip4h = PacketGetIPv4(p);
         ip_len = IPV4_GET_RAW_IPLEN(ip4h);