From: Oleksii Shumeiko <oshumeik@cisco.com>
Date: Mon, 6 Apr 2026 11:21:59 +0000 (+0300)
Subject: UDP Layer missing (#5271)
X-Git-Tag: 3.12.2.0~24
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9345af1f934912e992d0be8dbe1e63dcdc500340;p=thirdparty%2Fsnort3.git

UDP Layer missing (#5271)

* detection: skip detection when UDP outer layer not found

The built-in rule must fire: "116:472 (decode) too many protocols present".
Check "network.layers" configuration.

* log: ensure LogIPPkt won't call LogOuterIPHeader for missing layer
---

diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc
index 880f35917..22160b58b 100644
--- a/src/detection/fp_detect.cc
+++ b/src/detection/fp_detect.cc
@@ -1195,6 +1195,9 @@ static void fpEvalPacketUdp(Packet* p, FPTask task)
 
     const udp::UDPHdr* udph = layer::get_outer_udp_lyr(p);
 
+    if (!udph)
+        return; // no outer layer found, the inner layer evaluates later
+
     p->ptrs.udph = udph;
     p->ptrs.sp = ntohs(udph->uh_sport);
     p->ptrs.dp = ntohs(udph->uh_dport);
diff --git a/src/log/log_text.cc b/src/log/log_text.cc
index 14bc96aaa..4c2597ea6 100644
--- a/src/log/log_text.cc
+++ b/src/log/log_text.cc
@@ -415,11 +415,11 @@ static void LogOuterIPHeader(TextLog* log, Packet* p)
         uint16_t save_dp = p->ptrs.dp;
 
         const udp::UDPHdr* udph = layer::get_outer_udp_lyr(p);
+        assert(udph);
+
         p->ptrs.sp = ntohs(udph->uh_sport);
         p->ptrs.dp = ntohs(udph->uh_dport);
-
         LogIPHeader(log, p);
-
         p->ptrs.sp = save_sp;
         p->ptrs.dp = save_dp;
     }