TLS app layer: misc fixes, reorder some fields to same memory

src/app-layer-tls-handshake.c

@@ -137,6 +137,10 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
                 //SCLogInfo("TLS Cert %d: %s\n", i, buffer);
                 if (i==0) {
                     ssl_state->cert0_subject = SCStrdup(buffer);
+                    if (ssl_state->cert0_subject == NULL) {
+                        DerFree(cert);
+                        return -1;
+                    }
                 }
             }
             rc = Asn1DerGetIssuerDN(cert, buffer, sizeof(buffer));
@@ -147,6 +151,10 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
                 //SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer);
                 if (i==0) {
                     ssl_state->cert0_issuerdn = SCStrdup(buffer);
+                    if (ssl_state->cert0_issuerdn == NULL) {
+                        DerFree(cert);
+                        return -1;
+                    }
                 }
             }
             DerFree(cert);

src/detect-tls.c

@@ -203,7 +203,7 @@ static DetectTlsData *DetectTlsSubjectParse (char *str)
     ret = pcre_exec(subject_parse_regex, subject_parse_regex_study, str, strlen(str), 0, 0,
                     ov, MAX_SUBSTRINGS);
 
-    if (ret < 1 || ret > 3) {
+    if (ret != 3) {
         SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.subject option");
         goto error;
     }

src/detect-tls.h

@@ -36,9 +36,9 @@
 
 typedef struct DetectTlsData_ {
     uint16_t ver; /** tls version to match */
+    uint32_t flags; /** flags containing match variant (Negation for example) */
     char * subject; /** tls certificate subject substring to match */
     char * issuerdn; /** tls certificate issuerDN substring to match */
-    uint32_t flags; /** flags containing match variant (Negation for example) */
 } DetectTlsData;
 
 /* prototypes */