detect: add more defensive checks for flow handling

Don't unconditionally deref f->alparser in detection through DeStateFlowHasInspectableState(). In very rare cases it can be NULL.
11 years ago · 0564a8da3c
parent 2002067fb1
commit 0564a8da3c
2 changed files with 17 additions and 6 deletions
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@ -502,14 +502,15 @@ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
 {
    SCEnter();

-    SCReturnCT(pstate->log_id, "uint64_t");
+    SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
 }

 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate)
 {
    SCEnter();

-    pstate->log_id++;
+    if (pstate != NULL)
+        pstate->log_id++;

    SCReturn;
 }
@ -518,6 +519,9 @@ uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint
 {
    SCEnter();

+    if (pstate == NULL)
+        SCReturnCT(0ULL, "uint64_t");
+
    SCReturnCT(pstate->inspect_id[direction & STREAM_TOSERVER ? 0 : 1], "uint64_t");
 }

--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@ -212,6 +212,11 @@ void DetectEngineStateFree(DetectEngineState *state)
    return;
 }

+/**
+ *  \retval 0 no inspectable state
+ *  \retval 1 inspectable state
+ *  \retval 2 inspectable state, but no update
+ */
 int DeStateFlowHasInspectableState(Flow *f, AppProto alproto, uint16_t alversion, uint8_t flags)
 {
    int r = 0;
@ -220,10 +225,12 @@ int DeStateFlowHasInspectableState(Flow *f, AppProto alproto, uint16_t alversion
    if (f->de_state == NULL || f->de_state->dir_state[flags & STREAM_TOSERVER ? 0 : 1].cnt == 0) {
        if (AppLayerParserProtocolSupportsTxs(f->proto, alproto)) {
            FLOWLOCK_RDLOCK(f);
-            if (AppLayerParserGetTransactionInspectId(f->alparser, flags) >= AppLayerParserGetTxCnt(f->proto, alproto, f->alstate))
-                r = 2;
-            else
-                r = 0;
+            if (f->alparser != NULL && f->alstate != NULL) {
+                if (AppLayerParserGetTransactionInspectId(f->alparser, flags) >=
+                    AppLayerParserGetTxCnt(f->proto, alproto, f->alstate)) {
+                    r = 2;
+                }
+            }
            FLOWLOCK_UNLOCK(f);
        }
    } else if (!(flags & STREAM_EOF) &&