UDP Layer missing (#5271)

* detection: skip detection when UDP outer layer not found

The built-in rule must fire: "116:472 (decode) too many protocols present".
Check "network.layers" configuration.

* log: ensure LogIPPkt won't call LogOuterIPHeader for missing layer

diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc
index 880f35917d709a8ec7b0d80955e58f03b26055ca..22160b58bb2d70eb94ba8d53e4063cb015e7cc98 100644 (file)
--- a/src/detection/fp_detect.cc
+++ b/src/detection/fp_detect.cc
@@ -1195,6 +1195,9 @@ static void fpEvalPacketUdp(Packet* p, FPTask task)
 
     const udp::UDPHdr* udph = layer::get_outer_udp_lyr(p);
 
+    if (!udph)
+        return; // no outer layer found, the inner layer evaluates later
+
     p->ptrs.udph = udph;
     p->ptrs.sp = ntohs(udph->uh_sport);
     p->ptrs.dp = ntohs(udph->uh_dport);

diff --git a/src/log/log_text.cc b/src/log/log_text.cc
index 14bc96aaa4397f0a1df273f85ef58fb1d517bf9e..4c2597ea60fc3a4cabcb1da7556605185a06784e 100644 (file)
--- a/src/log/log_text.cc
+++ b/src/log/log_text.cc
@@ -415,11 +415,11 @@ static void LogOuterIPHeader(TextLog* log, Packet* p)
         uint16_t save_dp = p->ptrs.dp;
 
         const udp::UDPHdr* udph = layer::get_outer_udp_lyr(p);
+        assert(udph);
+
         p->ptrs.sp = ntohs(udph->uh_sport);
         p->ptrs.dp = ntohs(udph->uh_dport);
-
         LogIPHeader(log, p);
-
         p->ptrs.sp = save_sp;
         p->ptrs.dp = save_dp;
     }