Various fixes v1

rules/decoder-events.rules

@@ -8,6 +8,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option"; decode-even
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; sid:2200005; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 malformed option"; decode-event:ipv4.opt_malformed; sid:2200006; rev:1;)
 #alert pkthdr any any -> any any (msg:"SURICATA IPv4 padding required "; decode-event:ipv4.opt_pad_required; sid:2200007; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv4 with ICMPv6 header"; decode-event:ipv4.icmpv6; sid:2200092; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 option end of list required"; decode-event:ipv4.opt_eol_required; sid:2200008; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 duplicated IP option"; decode-event:ipv4.opt_duplicate; sid:2200009; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 unknown IP option"; decode-event:ipv4.opt_unknown; sid:2200010; rev:1;)
@@ -105,5 +106,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)
 
-# next sid is 2200092
+# next sid is 2200093
 

src/decode-events.h

@@ -42,6 +42,7 @@ enum {
     IPV4_OPT_DUPLICATE,             /**< duplicated ip option */
     IPV4_OPT_UNKNOWN,               /**< unknown ip option */
     IPV4_WRONG_IP_VER,              /**< wrong ip version in ip options */
+    IPV4_WITH_ICMPV6,               /**< IPv4 packet with ICMPv6 header */
 
     /* ICMP EVENTS */
     ICMPV4_PKT_TOO_SMALL,           /**< icmpv4 packet smaller than minimum size */

src/decode-ipv4.c

@@ -594,6 +594,9 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
                           IPV4_GET_IPLEN(p) -  IPV4_GET_HLEN(p), pq);
             }
             break;
+        case IPPROTO_ICMPV6:
+            ENGINE_SET_INVALID_EVENT(p, IPV4_WITH_ICMPV6);
+            break;
     }
 
     return TM_ECODE_OK;

src/detect-engine-event.h

@@ -55,6 +55,7 @@ struct DetectEngineEvents_ {
     { "ipv4.opt_duplicate", IPV4_OPT_DUPLICATE, },
     { "ipv4.opt_unknown", IPV4_OPT_UNKNOWN, },
     { "ipv4.wrong_ip_version", IPV4_WRONG_IP_VER, },
+    { "ipv4.icmpv6", IPV4_WITH_ICMPV6, },
 
     /* ICMP EVENTS */
     { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },

src/flow.h

@@ -521,8 +521,17 @@ static inline void FlowDecrUsecnt(Flow *f)
     (void) SC_ATOMIC_SUB(f->use_cnt, 1);
 }
 
+/** \brief Reference the flow, bumping the flows use_cnt
+ *  \note This should only be called once for a destination
+ *        pointer */
 static inline void FlowReference(Flow **d, Flow *f) {
     if (likely(f != NULL)) {
+#ifdef DEBUG_VALIDATION
+        BUG_ON(*d == f);
+#else
+        if (*d == f)
+            return;
+#endif
         FlowIncrUsecnt(f);
         *d = f;
     }

src/source-af-packet.c

@@ -1683,6 +1683,11 @@ TmEcode DecodeAFP(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Packet
     SCEnter();
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/source-erf-dag.c

@@ -591,6 +591,11 @@ TmEcode DecodeErfDag(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
     SCEnter();
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/source-erf-file.c

@@ -276,6 +276,11 @@ DecodeErfFile(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueu
     SCEnter();
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* Update counters. */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/source-ipfw.c

@@ -440,6 +440,11 @@ TmEcode DecodeIPFW(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Packe
 
     SCEnter();
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
     SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));

src/source-mpipe.c

@@ -1023,6 +1023,11 @@ TmEcode DecodeMpipe(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
     SCEnter();
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/source-napatech.c

@@ -355,6 +355,11 @@ TmEcode NapatechDecode(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
 
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/source-nfq.c

@@ -1200,6 +1200,11 @@ TmEcode DecodeNFQ(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Packet
     IPV6Hdr *ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
     SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));
     SCPerfCounterAddUI64(dtv->counter_avg_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));

src/source-pcap-file.c

@@ -385,6 +385,11 @@ TmEcode DecodePcapFile(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, P
     SCEnter();
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/source-pcap.c

@@ -707,6 +707,11 @@ TmEcode DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Packe
     SCEnter();
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/source-pfring.c

@@ -570,6 +570,11 @@ TmEcode DecodePfring(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pac
 {
     DecodeThreadVars *dtv = (DecodeThreadVars *)data;
 
+    /* XXX HACK: flow timeout can call us for injected pseudo packets
+     *           see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
+    if (p->flags & PKT_PSEUDO_STREAM_END)
+        return TM_ECODE_OK;
+
     /* update counters */
     SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
 //    SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);

src/util-validate.h

@@ -73,16 +73,18 @@
         if ((p)->flow != NULL) {                    \
             DEBUG_VALIDATE_FLOW((p)->flow);         \
         }                                           \
-        if ((p)->proto == IPPROTO_TCP) {            \
-            BUG_ON((p)->tcph == NULL);              \
-        } else if ((p)->proto == IPPROTO_UDP) {     \
-            BUG_ON((p)->udph == NULL);              \
-        } else if ((p)->proto == IPPROTO_ICMP) {    \
-            BUG_ON((p)->icmpv4h == NULL);           \
-        } else if ((p)->proto == IPPROTO_SCTP) {    \
-            BUG_ON((p)->sctph == NULL);             \
-        } else if ((p)->proto == IPPROTO_ICMPV6) {  \
-            BUG_ON((p)->icmpv6h == NULL);           \
+        if (!((p)->flags & (PKT_IS_FRAGMENT|PKT_IS_INVALID))) {          \
+            if ((p)->proto == IPPROTO_TCP) {            \
+                BUG_ON((p)->tcph == NULL);              \
+            } else if ((p)->proto == IPPROTO_UDP) {     \
+                BUG_ON((p)->udph == NULL);              \
+            } else if ((p)->proto == IPPROTO_ICMP) {    \
+                BUG_ON((p)->icmpv4h == NULL);           \
+            } else if ((p)->proto == IPPROTO_SCTP) {    \
+                BUG_ON((p)->sctph == NULL);             \
+            } else if ((p)->proto == IPPROTO_ICMPV6) {  \
+                BUG_ON((p)->icmpv6h == NULL);           \
+            }                                           \
         }                                           \
         if ((p)->payload_len > 0) {                 \
             BUG_ON((p)->payload == NULL);           \