From: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date: Tue, 31 Jan 2023 21:05:39 +0000 (+0000)
Subject: Pull request #3746: wizard: ensure Wizard is refcounted by MagicSplitter to prevent... 
X-Git-Tag: 3.1.55.0~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9839d325958f74b3cfe0bdf5c17d93641104b2f5;p=thirdparty%2Fsnort3.git

Pull request #3746: wizard: ensure Wizard is refcounted by MagicSplitter to prevent snort crashes due to memory corruption

Merge in SNORT/snort3 from ~JALIIMRA/snort3:umbrella_splitter_crash to master

Squashed commit of the following:

commit 76e78a72a86f276e1aaac1fa21d2d24d19029351
Author: Juweria Ali Imran <jaliimra@cisco.com>
Date:   Mon Jan 23 14:18:11 2023 -0500

    wizard: ensure Wizard is refcounted by MagicSplitter to prevent snort crashes due to memory corruption
---

diff --git a/src/service_inspectors/wizard/wizard.cc b/src/service_inspectors/wizard/wizard.cc
index c9202d2ec..dcf52dc60 100644
--- a/src/service_inspectors/wizard/wizard.cc
+++ b/src/service_inspectors/wizard/wizard.cc
@@ -170,12 +170,16 @@ MagicSplitter::MagicSplitter(bool c2s, class Wizard* w) :
     StreamSplitter(c2s), wizard_processed_bytes(0)
 {
     wizard = w;
+    // FIXIT-M: Handle inspector reference elsewhere such that all splitters 
+    // are able to be deleted before their inspectors
+    w->add_ref();  
     // Used only in case of TCP traffic
     w->reset(wand, c2s, MagicBook::ArcaneType::TCP);
 }
 
 MagicSplitter::~MagicSplitter()
 {
+    wizard->rem_ref();
     // release trackers
     for ( unsigned i = 0; i < wand.curse_tracker.size(); i++ )
         delete wand.curse_tracker[i].tracker;
diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index def8e0458..7de51ba7a 100644
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -192,9 +192,6 @@ void TcpSession::clear_session(bool free_flow_data, bool flush_segments, bool re
 
     update_perf_base_state(TcpStreamTracker::TCP_CLOSED);
 
-    set_splitter(true, nullptr);
-    set_splitter(false, nullptr);
-
     if ( restart )
     {
         flow->restart(free_flow_data);
@@ -208,6 +205,9 @@ void TcpSession::clear_session(bool free_flow_data, bool flush_segments, bool re
         server.reassembler.clear_paf();
     }
 
+    set_splitter(true, nullptr);
+    set_splitter(false, nullptr);
+
     tel.log_internal_event(SESSION_EVENT_CLEAR);
 }