From: Shivani Bhardwaj Date: Sat, 11 Oct 2025 08:45:37 +0000 (+0530) Subject: applayer/tls: do not free SAN for decoding error X-Git-Tag: suricata-8.0.2~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F14195%2Fhead;p=thirdparty%2Fsuricata.git applayer/tls: do not free SAN for decoding error SSL connp maintains all the state and certificate data that was parsed/decoded successfully and it must retain that for later usage. There should be just one place to free this object which is SSLStateFree for both the directions. By freeing the connp data during parsing error, there is room for memory errors. This works so far because the field parsed after this cannot error out so if there's an error parsing this, it anyway does not exist. However, this is incorrect and leaves scope for mistakes. Remove this extra free and treat SAN like all other TLS keywords. Bug 7996 (cherry picked from commit b090fc61fd11a90113c0d8793b2ef97b6e273068) --- diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index ba755b44bf..bd5070595a 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -333,8 +333,6 @@ static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size, } \ } while (0) -static void SSLStateCertSANFree(SSLStateConnp *connp); - static void *SSLGetTx(void *state, uint64_t tx_id) { SSLState *ssl_state = (SSLState *)state; @@ -554,7 +552,6 @@ error: if (x509 != NULL) SCX509Free(x509); - SSLStateCertSANFree(connp); return -1; invalid_cert: