applayer: fix a leak in protocol change

TCPProtoDetect can either set f->alproto, change f->alstate and return error. When the original alstate gets freed, we shall set the pointer to NULL, as it can get reused.
5 years ago · 518e0e66cb
parent 97c67cd5ce
commit 518e0e66cb
2 changed files with 6 additions and 2 deletions
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@ -1201,7 +1201,7 @@ int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow
    if (flags & STREAM_GAP) {
        if (!(p->option_flags & APP_LAYER_PARSER_OPT_ACCEPT_GAPS)) {
            SCLogDebug("app-layer parser does not accept gaps");
-            if (f->alstate != NULL) {
+            if (f->alstate != NULL && !FlowChangeProto(f)) {
                AppLayerParserStreamTruncated(f->proto, alproto, f->alstate,
                        flags);
            }
--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -636,6 +636,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
        /* rerun protocol detection */
        int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
        if (f->alproto == ALPROTO_UNKNOWN) {
+            DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
            // not enough data, revert AppLayerProtoDetectReset to rerun detection
            f->alparser = alparser;
            f->alproto = f->alproto_orig;
@ -644,10 +645,13 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
        } else {
            FlowUnsetChangeProtoFlag(f);
            AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
+            if (alstate_orig == f->alstate) {
+                // we just freed it
+                f->alstate = NULL;
+            }
        }
        if (rd != 0) {
            SCLogDebug("proto detect failure");
-            f->alstate = NULL;
            goto failure;
        }
        SCLogDebug("protocol change, old %s, new %s",