From a277f2eb0c773a0e9c88a720a7984c5be3fca93a Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Sun, 26 May 2019 23:44:03 +0200
Subject: [PATCH] af-packet: fix use after free on config

ASAN did find that afp config was used after free. This was in
fact done in the Flow bypass manager hence this patch.
---
 src/runmode-af-packet.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 3dbc5fd60b..e499267920 100644
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -440,10 +440,16 @@ static void *ParseAFPConfig(const char *iface)
                     aconf->iface);
             aconf->flags |= AFP_BYPASS;
             RunModeEnablesBypassManager();
-            BypassedFlowManagerRegisterCheckFunc(EBPFCheckBypassedFlowTimeout,
-                                                 NULL,
-                                                 (void *) &(aconf->ebpf_t_config));
-            BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
+            struct ebpf_timeout_config *ebt = SCCalloc(1, sizeof(struct ebpf_timeout_config));
+            if (ebt == NULL) {
+                SCLogError(SC_ERR_MEM_ALLOC, "Flow bypass alloc error");
+            } else {
+                memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
+                BypassedFlowManagerRegisterCheckFunc(EBPFCheckBypassedFlowTimeout,
+                                                     NULL,
+                                                     (void *)ebt);
+                BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
+            }
 #else
             SCLogError(SC_ERR_UNIMPLEMENTED, "Bypass set but eBPF support is not built-in");
 #endif