From: Victor Julien <victor@inliniac.net>
Date: Tue, 27 Jun 2017 07:59:48 +0000 (+0200)
Subject: detect: fix crash when stream inspect runs on UDP
X-Git-Tag: suricata-4.0.0-rc1~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=885b8cefec83b63bbde1279f59d7ff1e40ba320c;p=thirdparty%2Fsuricata.git

detect: fix crash when stream inspect runs on UDP

Certain rules can apply to both TCP and UDP. For example 'alert dns'
rules are inspected against both TCP and UDP. This lead to the
stream inspect engine being called on a UDP packet.

This patch fixes the issue by exiting early from the stream inspect
engine if a) proto is not TCP or b) ssn is not available

Bug #2158.
---

diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c
index 83f3c27912..bb45672127 100644
--- a/src/detect-engine-payload.c
+++ b/src/detect-engine-payload.c
@@ -281,6 +281,14 @@ int DetectEngineInspectStream(ThreadVars *tv,
 {
     Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
 
+    /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
+     * we can get called for UDP. */
+    if (p->proto != IPPROTO_TCP)
+        return DETECT_ENGINE_INSPECT_SIG_MATCH;
+    TcpSession *ssn = f->protoctx;
+    if (ssn == NULL)
+        return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+
     if (det_ctx->stream_already_inspected)
         return det_ctx->stream_last_result;
 
@@ -291,7 +299,6 @@ int DetectEngineInspectStream(ThreadVars *tv,
             &unused);
 
     bool is_last = false;
-    TcpSession *ssn = f->protoctx;
     if (flags & STREAM_TOSERVER) {
         TcpStream *stream = &ssn->client;
         if (stream->flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED)