From 7e54ee7d0e7dac51c7436724961fdba78af85561 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 19 Oct 2016 12:52:46 +0200
Subject: [PATCH] flow-timeout: fix memory errors on flow bypass

For flow bypass, the flow timeout handling is triggered which may
create up to 3 pseudo packets that hold a reference to the flow.
However, in the bypass case the code signaled to the timeout logic
that the flow can be freed unconditionally by returning 1. This
lead to packets going through the engine with a pointer to a now
freed/recycled flow.

This patch fixes the logic by removing the special bypass case,
which seemed redundant anyway. Effectively reverts 68d9677.

Bug #1928.
---
 src/flow-manager.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/src/flow-manager.c b/src/flow-manager.c
index a1e78b82bb..87292d876d 100644
--- a/src/flow-manager.c
+++ b/src/flow-manager.c
@@ -266,15 +266,6 @@ static int FlowManagerFlowTimedOut(Flow *f, struct timeval *ts)
 
     int server = 0, client = 0;
 
-    int state = SC_ATOMIC_GET(f->flow_state);
-    if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
-            (state == FLOW_STATE_CAPTURE_BYPASSED)) {
-        if (FlowForceReassemblyNeedReassembly(f, &server, &client) == 1) {
-            FlowForceReassemblyForFlow(f, server, client);
-        }
-        return 1;
-    }
-
     if (!(f->flags & FLOW_TIMEOUT_REASSEMBLY_DONE) &&
             FlowForceReassemblyNeedReassembly(f, &server, &client) == 1) {
         FlowForceReassemblyForFlow(f, server, client);
-- 
2.47.2