From: Eric Leblond <eric@regit.org>
Date: Sun, 26 May 2019 21:44:03 +0000 (+0200)
Subject: af-packet: fix use after free on config
X-Git-Tag: suricata-5.0.0-rc1~317
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a277f2eb0c773a0e9c88a720a7984c5be3fca93a;p=thirdparty%2Fsuricata.git

af-packet: fix use after free on config

ASAN did find that afp config was used after free. This was in
fact done in the Flow bypass manager hence this patch.
---

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 3dbc5fd60b..e499267920 100644
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -440,10 +440,16 @@ static void *ParseAFPConfig(const char *iface)
                     aconf->iface);
             aconf->flags |= AFP_BYPASS;
             RunModeEnablesBypassManager();
-            BypassedFlowManagerRegisterCheckFunc(EBPFCheckBypassedFlowTimeout,
-                                                 NULL,
-                                                 (void *) &(aconf->ebpf_t_config));
-            BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
+            struct ebpf_timeout_config *ebt = SCCalloc(1, sizeof(struct ebpf_timeout_config));
+            if (ebt == NULL) {
+                SCLogError(SC_ERR_MEM_ALLOC, "Flow bypass alloc error");
+            } else {
+                memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
+                BypassedFlowManagerRegisterCheckFunc(EBPFCheckBypassedFlowTimeout,
+                                                     NULL,
+                                                     (void *)ebt);
+                BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
+            }
 #else
             SCLogError(SC_ERR_UNIMPLEMENTED, "Bypass set but eBPF support is not built-in");
 #endif