From dedfa602dd6663290790c9d25dea3fa66878597d Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 9 Mar 2021 15:22:47 +0100
Subject: [PATCH] dnp3: fixes use after realloc/free in output

OutputJsonBuilderBuffer can realloc the buffer
So, we need to give it the right reference
---
 src/output-json-dnp3.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/output-json-dnp3.c b/src/output-json-dnp3.c
index 9292b1387e..7b2a7192e4 100644
--- a/src/output-json-dnp3.c
+++ b/src/output-json-dnp3.c
@@ -218,9 +218,7 @@ static int JsonDNP3LoggerToServer(ThreadVars *tv, void *thread_data,
     LogDNP3LogThread *thread = (LogDNP3LogThread *)thread_data;
     DNP3Transaction *tx = vtx;
 
-    MemBuffer *buffer = (MemBuffer *)thread->buffer;
-
-    MemBufferReset(buffer);
+    MemBufferReset(thread->buffer);
     if (tx->has_request && tx->request_done) {
         JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "dnp3", NULL);
         if (unlikely(js == NULL)) {
@@ -232,7 +230,7 @@ static int JsonDNP3LoggerToServer(ThreadVars *tv, void *thread_data,
         jb_open_object(js, "dnp3");
         JsonDNP3LogRequest(js, tx);
         jb_close(js);
-        OutputJsonBuilderBuffer(js, thread->file_ctx, &buffer);
+        OutputJsonBuilderBuffer(js, thread->file_ctx, &thread->buffer);
         jb_free(js);
     }
 
@@ -246,9 +244,7 @@ static int JsonDNP3LoggerToClient(ThreadVars *tv, void *thread_data,
     LogDNP3LogThread *thread = (LogDNP3LogThread *)thread_data;
     DNP3Transaction *tx = vtx;
 
-    MemBuffer *buffer = (MemBuffer *)thread->buffer;
-
-    MemBufferReset(buffer);
+    MemBufferReset(thread->buffer);
     if (tx->has_response && tx->response_done) {
         JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "dnp3", NULL);
         if (unlikely(js == NULL)) {
@@ -259,7 +255,7 @@ static int JsonDNP3LoggerToClient(ThreadVars *tv, void *thread_data,
         jb_open_object(js, "dnp3");
         JsonDNP3LogResponse(js, tx);
         jb_close(js);
-        OutputJsonBuilderBuffer(js, thread->file_ctx, &buffer);
+        OutputJsonBuilderBuffer(js, thread->file_ctx, &thread->buffer);
         jb_free(js);
     }
 
-- 
2.47.2