From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 8 Apr 2022 12:40:02 +0000 (+0200)
Subject: protocol: forbids concurrent protocol upgrades
X-Git-Tag: suricata-6.0.6~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e55eeb3bdee1a57f17a21ca509385c84caaa4469;p=thirdparty%2Fsuricata.git

protocol: forbids concurrent protocol upgrades

Ticket: 5243

When switching from SMTP to TLS, and getting HTTP1 instead of
expected TLS, and HTTP1 requesting upgrade to HTTP2, we do not
overwrite the alproto_orig value so as not to have type confusion
in AppLayerParserStateProtoCleanup

(cherry picked from commit cedffdf14cf1fdd4d551f16c331e5b3e7f0a6927)
---

diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c
index 5ee03f836e..c83c3e030e 100644
--- a/src/app-layer-detect-proto.c
+++ b/src/app-layer-detect-proto.c
@@ -1878,6 +1878,12 @@ void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_n
  */
 void AppLayerRequestProtocolChange(Flow *f, uint16_t dp, AppProto expect_proto)
 {
+    if (FlowChangeProto(f)) {
+        // If we are already changing protocols, from SMTP to TLS for instance,
+        // and that we do not get TLS but HTTP1, which is requesting whange to HTTP2,
+        // we do not proceed the new protocol change
+        return;
+    }
     FlowSetChangeProtoFlag(f);
     f->protodetect_dp = dp;
     f->alproto_expect = expect_proto;