From 36e6d632df258abcf133be3b50144311e6212a1d Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 16 Jul 2021 14:22:28 +0200 Subject: [PATCH] protodetect: opposing side cannot change protocol Ticket: #4562 As the data which triggered the opposing side was the same protocol and not another one, that means the protocol change failed. Prevents a memory leak in later call of AppLayerParserParse which would allocate a new state and leak the old one (cherry picked from commit be617a3c1b25a7a4b1acdc7b65d3733d4f48a1f9) --- src/app-layer.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/app-layer.c b/src/app-layer.c index a01b44c1cb..0b4f384f75 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -397,6 +397,15 @@ static int TCPProtoDetect(ThreadVars *tv, DisableAppLayer(tv, f, p); SCReturnInt(-1); } + if (FlowChangeProto(f)) { + /* We have the first data which requested a protocol change from P1 to P2 + * even if it was not recognized at first as being P1 + * As the second data was recognized as P1, the protocol did not change ! + */ + FlowUnsetChangeProtoFlag(f); + AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, + APPLAYER_UNEXPECTED_PROTOCOL); + } } /* if the parser operates such that it needs to see data from -- 2.47.2