From 69ea47dc715d5182cd63eadff92868f72ab03e05 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 29 Nov 2021 10:59:10 +0100 Subject: [PATCH] ftp: do not set alproto if one was already found Ticket: 4857 If a pattern such as GET is seen ine the beginning of the file transferred over ftp-data, this flow will get recognized as HTTP, and a HTTP state will be created during parsing. Thus, we cannot override directly alproto's values This solves the segfault, but not the logical bug that the flow should be classified as FTP-DATA instead of HTTP (cherry picked from commit dd32238667f08c7211ae4fa27cfe43af7cffd52d) --- src/app-layer-expectation.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/app-layer-expectation.c b/src/app-layer-expectation.c index ee158e94d2..cdd064cc30 100644 --- a/src/app-layer-expectation.c +++ b/src/app-layer-expectation.c @@ -323,8 +323,12 @@ AppProto AppLayerExpectationHandle(Flow *f, int direction) ((exp->sp == 0) || (exp->sp == f->sp)) && ((exp->dp == 0) || (exp->dp == f->dp))) { alproto = exp->alproto; - f->alproto_ts = alproto; - f->alproto_tc = alproto; + if (f->alproto_ts == ALPROTO_UNKNOWN) { + f->alproto_ts = alproto; + } + if (f->alproto_tc == ALPROTO_UNKNOWN) { + f->alproto_tc = alproto; + } void *fdata = FlowGetStorageById(f, g_expectation_data_id); if (fdata) { /* We already have an expectation so let's clean this one */ -- 2.47.2