From: Victor Julien <victor@inliniac.net>
Date: Tue, 25 Feb 2014 19:22:55 +0000 (+0100)
Subject: htp: don't assume HTPCallbackRequestLine is the first callback
X-Git-Tag: suricata-2.0rc2~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F849%2Fhead;p=thirdparty%2Fsuricata.git

htp: don't assume HTPCallbackRequestLine is the first callback

By assuming that HTPCallbackRequestLine would always be run first,
an memory leak was introduced. It would not check if user data already
existed in the tx, causing it to overwrite the user data pointer is
it already existed.

Bug #1092.
---

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index d2c0a099ad..7e132aa8fa 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -2032,14 +2032,19 @@ static int HTPCallbackRequestLine(htp_tx_t *tx)
     if (request_uri_normalized == NULL)
         return HTP_OK;
 
-    tx_ud = HTPMalloc(sizeof(*tx_ud));
-    if (unlikely(tx_ud == NULL)) {
-        bstr_free(request_uri_normalized);
-        return HTP_OK;
+    tx_ud = htp_tx_get_user_data(tx);
+    if (likely(tx_ud == NULL)) {
+        tx_ud = HTPMalloc(sizeof(*tx_ud));
+        if (unlikely(tx_ud == NULL)) {
+            bstr_free(request_uri_normalized);
+            return HTP_OK;
+        }
+        memset(tx_ud, 0, sizeof(*tx_ud));
+        htp_tx_set_user_data(tx, tx_ud);
     }
-    memset(tx_ud, 0, sizeof(*tx_ud));
+    if (unlikely(tx_ud->request_uri_normalized != NULL))
+        bstr_free(tx_ud->request_uri_normalized);
     tx_ud->request_uri_normalized = request_uri_normalized;
-    htp_tx_set_user_data(tx, tx_ud);
 
     if (tx->flags) {
         HTPErrorCheckTxRequestFlags(hstate, tx);