ftp: do not set alproto if one was already found

Ticket: 4857 If a pattern such as GET is seen ine the beginning of the file transferred over ftp-data, this flow will get recognized as HTTP, and a HTTP state will be created during parsing. Thus, we cannot override directly alproto's values This solves the segfault, but not the logical bug that the flow should be classified as FTP-DATA instead of HTTP
OISF · Nov 29, 2021 · 71489d0 · 71489d0
1 parent c9d222a
commit 71489d0
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/app-layer-expectation.c b/src/app-layer-expectation.c
@@ -324,8 +324,12 @@ AppProto AppLayerExpectationHandle(Flow *f, uint8_t flags)
         if ((exp->direction & flags) && ((exp->sp == 0) || (exp->sp == f->sp)) &&
                 ((exp->dp == 0) || (exp->dp == f->dp))) {
             alproto = exp->alproto;
-            f->alproto_ts = alproto;
-            f->alproto_tc = alproto;
+            if (f->alproto_ts == ALPROTO_UNKNOWN) {
+                f->alproto_ts = alproto;
+            }
+            if (f->alproto_tc == ALPROTO_UNKNOWN) {
+                f->alproto_tc = alproto;
+            }
             void *fdata = FlowGetStorageById(f, g_flow_expectation_id);
             if (fdata) {
                 /* We already have an expectation so let's clean this one */