From: Victor Julien Date: Tue, 8 Mar 2016 15:15:45 +0000 (+0100) Subject: defrag: fix bad packet error handling X-Git-Tag: suricata-3.0.1RC1~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f4eff5f5030ae921d3e68cd6b6a40ee7bd52215;p=thirdparty%2Fsuricata.git defrag: fix bad packet error handling When defrag creates a new reassembled IP packet, it then passes this packet to the IP decoder. If this decoder returns an error the packet is returned back to the packet pool with a call to TmqhOutputPacketpool This lead to the first problem. The returned packet had it's p->root pointer set, and it's PKT_TUNNEL flag set. This could cause problems in TmqhOutputPacketpool, as this may reference the packet referenced in p->root. The second and more glaring problem is that the packet that was returned to the packetpool, was still returned by the Defrag function and processed further. It would then at the end of it's processing be returned to the packet pool, which at this point already had a reference to this packet. This patch fixes both issues by unsetting the tunnel references and returning NULL from Defrag in this case. --- diff --git a/src/defrag.c b/src/defrag.c index 484a0994d6..f3de97edd9 100644 --- a/src/defrag.c +++ b/src/defrag.c @@ -783,7 +783,11 @@ insert: StatsIncr(tv, dtv->counter_defrag_ipv4_reassembled); if (pq && DecodeIPV4(tv, dtv, r, (void *)r->ip4h, IPV4_GET_IPLEN(r), pq) != TM_ECODE_OK) { + + UNSET_TUNNEL_PKT(r); + r->root = NULL; TmqhOutputPacketpool(tv, r); + r = NULL; } else { PacketDefragPktSetupParent(p); } @@ -796,7 +800,11 @@ insert: if (pq && DecodeIPV6(tv, dtv, r, (uint8_t *)r->ip6h, IPV6_GET_PLEN(r) + IPV6_HEADER_LEN, pq) != TM_ECODE_OK) { + + UNSET_TUNNEL_PKT(r); + r->root = NULL; TmqhOutputPacketpool(tv, r); + r = NULL; } else { PacketDefragPktSetupParent(p); }