From d58f81d01b0ed7877c6328d650166d88894a4e0d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 14 Aug 2018 14:33:20 +0200
Subject: [PATCH] detect/files: don't prune files for bad packets

A bad packet (rejected by stream engine) could still trigger a file
prune, even though (most of the) detection wouldn't happen for the
packet. The next valid packet would then not be able to match on the
file, as it was already freed.

This patch uses the same logic before file pruning as in the detect
engine.

Bug: 2576
---
 src/output-file.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/output-file.c b/src/output-file.c
index d05ffd4d40..013dc0ae10 100644
--- a/src/output-file.c
+++ b/src/output-file.c
@@ -176,7 +176,14 @@ static TmEcode OutputFileLog(ThreadVars *tv, Packet *p, void *thread_data)
             }
         }
 
-        FilePrune(ffc);
+        /* only prune for accepted packets, as detection might skip
+         * inspection. */
+        if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
+                (p->proto == IPPROTO_UDP) ||
+                (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
+        {
+            FilePrune(ffc);
+        }
     }
 
     return TM_ECODE_OK;
-- 
2.47.2