From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 29 Nov 2021 09:59:10 +0000 (+0100)
Subject: ftp: do not set alproto if one was already found
X-Git-Tag: suricata-6.0.5~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6a0709dc8935511c5573c13b5c5a1f512b8791f;p=thirdparty%2Fsuricata.git

ftp: do not set alproto if one was already found

Ticket: 4857

If a pattern such as GET is seen ine the beginning of the
file transferred over ftp-data, this flow will get recognized
as HTTP, and a HTTP state will be created during parsing.

Thus, we cannot override directly alproto's values

This solves the segfault, but not the logical bug that the flow
should be classified as FTP-DATA instead of HTTP

(cherry picked from commit dd32238667f08c7211ae4fa27cfe43af7cffd52d)
---

diff --git a/src/app-layer-expectation.c b/src/app-layer-expectation.c
index 00ff035db7..c920a19991 100644
--- a/src/app-layer-expectation.c
+++ b/src/app-layer-expectation.c
@@ -322,8 +322,12 @@ AppProto AppLayerExpectationHandle(Flow *f, uint8_t flags)
         if ((exp->direction & flags) && ((exp->sp == 0) || (exp->sp == f->sp)) &&
                 ((exp->dp == 0) || (exp->dp == f->dp))) {
             alproto = exp->alproto;
-            f->alproto_ts = alproto;
-            f->alproto_tc = alproto;
+            if (f->alproto_ts == ALPROTO_UNKNOWN) {
+                f->alproto_ts = alproto;
+            }
+            if (f->alproto_tc == ALPROTO_UNKNOWN) {
+                f->alproto_tc = alproto;
+            }
             void *fdata = FlowGetStorageById(f, g_expectation_data_id);
             if (fdata) {
                 /* We already have an expectation so let's clean this one */