From: Victor Julien <victor@inliniac.net>
Date: Tue, 14 Aug 2018 12:33:20 +0000 (+0200)
Subject: detect/files: don't prune files for bad packets
X-Git-Tag: suricata-4.0.6~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d58f81d01b0ed7877c6328d650166d88894a4e0d;p=thirdparty%2Fsuricata.git

detect/files: don't prune files for bad packets

A bad packet (rejected by stream engine) could still trigger a file
prune, even though (most of the) detection wouldn't happen for the
packet. The next valid packet would then not be able to match on the
file, as it was already freed.

This patch uses the same logic before file pruning as in the detect
engine.

Bug: 2576
---

diff --git a/src/output-file.c b/src/output-file.c
index d05ffd4d40..013dc0ae10 100644
--- a/src/output-file.c
+++ b/src/output-file.c
@@ -176,7 +176,14 @@ static TmEcode OutputFileLog(ThreadVars *tv, Packet *p, void *thread_data)
             }
         }
 
-        FilePrune(ffc);
+        /* only prune for accepted packets, as detection might skip
+         * inspection. */
+        if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
+                (p->proto == IPPROTO_UDP) ||
+                (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
+        {
+            FilePrune(ffc);
+        }
     }
 
     return TM_ECODE_OK;