From: Philippe Antoine Date: Fri, 8 Apr 2022 12:40:02 +0000 (+0200) Subject: protocol: forbids concurrent protocol upgrades X-Git-Tag: suricata-7.0.0-beta1~713 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cedffdf14cf1fdd4d551f16c331e5b3e7f0a6927;p=thirdparty%2Fsuricata.git protocol: forbids concurrent protocol upgrades Ticket: 5243 When switching from SMTP to TLS, and getting HTTP1 instead of expected TLS, and HTTP1 requesting upgrade to HTTP2, we do not overwrite the alproto_orig value so as not to have type confusion in AppLayerParserStateProtoCleanup --- diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 0ee69117d9..b61d3c924d 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -1950,6 +1950,12 @@ void AppLayerProtoDetectRegisterAlias(const char *proto_name, const char *proto_ */ void AppLayerRequestProtocolChange(Flow *f, uint16_t dp, AppProto expect_proto) { + if (FlowChangeProto(f)) { + // If we are already changing protocols, from SMTP to TLS for instance, + // and that we do not get TLS but HTTP1, which is requesting whange to HTTP2, + // we do not proceed the new protocol change + return; + } FlowSetChangeProtoFlag(f); f->protodetect_dp = dp; f->alproto_expect = expect_proto;