From: Sascha Steinbiss <satta@debian.org>
Date: Sun, 8 Nov 2020 12:08:28 +0000 (+0100)
Subject: eve: do not access flow storage in packet context
X-Git-Tag: suricata-6.0.1~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F5555%2Fhead;p=thirdparty%2Fsuricata.git

eve: do not access flow storage in packet context

We must make sure not to access the flow storage (e.g. keeping a
MacSet) before making sure we have a flow to begin with, We can,
for example, run into an alert without a flow with `ip` rules,
in which case the flow might be NULL. See Redmine issue #4109.
---

diff --git a/src/output-json.c b/src/output-json.c
index 7e55ba0385..ce7250b75c 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -439,7 +439,7 @@ static void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
     }
 }
 
-int CreateJSONEther(JsonBuilder *parent, const Packet *p, const MacSet *ms);
+int CreateJSONEther(JsonBuilder *parent, const Packet *p, const Flow *f);
 
 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg,
         const Packet *p, const Flow *f, JsonBuilder *js)
@@ -448,9 +448,7 @@ void EveAddCommonOptions(const OutputJsonCommonSettings *cfg,
         EveAddMetadata(p, f, js);
     }
     if (cfg->include_ethernet) {
-        MacSet *ms = FlowGetStorageById((Flow*) f, MacSetGetFlowStorageID());
-        if (ms != NULL)
-            CreateJSONEther(js, p, ms);
+        CreateJSONEther(js, p, f);
     }
     if (cfg->include_community_id && f != NULL) {
         CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
@@ -798,15 +796,23 @@ static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
     return 0;
 }
 
-int CreateJSONEther(JsonBuilder *js, const Packet *p, const MacSet *ms)
+int CreateJSONEther(JsonBuilder *js, const Packet *p, const Flow *f)
 {
-    jb_open_object(js, "ether");
     if (unlikely(js == NULL))
         return 0;
+    /* start new EVE sub-object */
+    jb_open_object(js, "ether");
     if (p == NULL) {
+        MacSet *ms = NULL;
+        /* ensure we have a flow */
+        if (unlikely(f == NULL)) {
+            jb_close(js);
+            return 0;
+        }
         /* we are creating an ether object in a flow context, so we need to
            append to arrays */
-        if (MacSetSize(ms) > 0) {
+        ms = FlowGetStorageById((Flow *)f, MacSetGetFlowStorageID());
+        if (ms != NULL && MacSetSize(ms) > 0) {
             JSONMACAddrInfo info;
             info.dst = jb_new_array();
             info.src = jb_new_array();
@@ -815,6 +821,7 @@ int CreateJSONEther(JsonBuilder *js, const Packet *p, const MacSet *ms)
                 /* should not happen, JSONFlowAppendMACAddrs is sane */
                 jb_free(info.dst);
                 jb_free(info.src);
+                jb_close(js);
                 return ret;
             }
             jb_close(info.dst);