From 885b8cefec83b63bbde1279f59d7ff1e40ba320c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 27 Jun 2017 09:59:48 +0200
Subject: [PATCH] detect: fix crash when stream inspect runs on UDP

Certain rules can apply to both TCP and UDP. For example 'alert dns'
rules are inspected against both TCP and UDP. This lead to the
stream inspect engine being called on a UDP packet.

This patch fixes the issue by exiting early from the stream inspect
engine if a) proto is not TCP or b) ssn is not available

Bug #2158.
---
 src/detect-engine-payload.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c
index 83f3c27912..bb45672127 100644
--- a/src/detect-engine-payload.c
+++ b/src/detect-engine-payload.c
@@ -281,6 +281,14 @@ int DetectEngineInspectStream(ThreadVars *tv,
 {
     Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
 
+    /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
+     * we can get called for UDP. */
+    if (p->proto != IPPROTO_TCP)
+        return DETECT_ENGINE_INSPECT_SIG_MATCH;
+    TcpSession *ssn = f->protoctx;
+    if (ssn == NULL)
+        return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+
     if (det_ctx->stream_already_inspected)
         return det_ctx->stream_last_result;
 
@@ -291,7 +299,6 @@ int DetectEngineInspectStream(ThreadVars *tv,
             &unused);
 
     bool is_last = false;
-    TcpSession *ssn = f->protoctx;
     if (flags & STREAM_TOSERVER) {
         TcpStream *stream = &ssn->client;
         if (stream->flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED)
-- 
2.47.2