From 218b5d3ba032f8b7e158ab2325d13b51e0007450 Mon Sep 17 00:00:00 2001
From: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
Date: Sat, 3 Mar 2012 14:11:38 +0100
Subject: [PATCH] TLS app layer: misc fixes, reorder some fields to same memory

---
 src/app-layer-tls-handshake.c | 8 ++++++++
 src/detect-tls.c              | 2 +-
 src/detect-tls.h              | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c
index a2f6a3a9ab..88adb88268 100644
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@@ -137,6 +137,10 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
                 //SCLogInfo("TLS Cert %d: %s\n", i, buffer);
                 if (i==0) {
                     ssl_state->cert0_subject = SCStrdup(buffer);
+                    if (ssl_state->cert0_subject == NULL) {
+                        DerFree(cert);
+                        return -1;
+                    }
                 }
             }
             rc = Asn1DerGetIssuerDN(cert, buffer, sizeof(buffer));
@@ -147,6 +151,10 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
                 //SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer);
                 if (i==0) {
                     ssl_state->cert0_issuerdn = SCStrdup(buffer);
+                    if (ssl_state->cert0_issuerdn == NULL) {
+                        DerFree(cert);
+                        return -1;
+                    }
                 }
             }
             DerFree(cert);
diff --git a/src/detect-tls.c b/src/detect-tls.c
index 7d41970f43..bbcf5a2f83 100644
--- a/src/detect-tls.c
+++ b/src/detect-tls.c
@@ -203,7 +203,7 @@ static DetectTlsData *DetectTlsSubjectParse (char *str)
     ret = pcre_exec(subject_parse_regex, subject_parse_regex_study, str, strlen(str), 0, 0,
                     ov, MAX_SUBSTRINGS);
 
-    if (ret < 1 || ret > 3) {
+    if (ret != 3) {
         SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.subject option");
         goto error;
     }
diff --git a/src/detect-tls.h b/src/detect-tls.h
index 0ed74578ae..550052e8be 100644
--- a/src/detect-tls.h
+++ b/src/detect-tls.h
@@ -36,9 +36,9 @@
 
 typedef struct DetectTlsData_ {
     uint16_t ver; /** tls version to match */
+    uint32_t flags; /** flags containing match variant (Negation for example) */
     char * subject; /** tls certificate subject substring to match */
     char * issuerdn; /** tls certificate issuerDN substring to match */
-    uint32_t flags; /** flags containing match variant (Negation for example) */
 } DetectTlsData;
 
 /* prototypes */