detect/files: don't prune files for bad packets

A bad packet (rejected by stream engine) could still trigger a file prune, even though (most of the) detection wouldn't happen for the packet. The next valid packet would then not be able to match on the file, as it was already freed. This patch uses the same logic before file pruning as in the detect engine. Bug: 2576
7 years ago · d58f81d01b
parent acd30a4397
commit d58f81d01b
1 changed files with 8 additions and 1 deletions
--- a/src/output-file.c
+++ b/src/output-file.c
@ -176,7 +176,14 @@ static TmEcode OutputFileLog(ThreadVars *tv, Packet *p, void *thread_data)
            }
        }

-        FilePrune(ffc);
+        /* only prune for accepted packets, as detection might skip
+         * inspection. */
+        if ((p->proto == IPPROTO_TCP && (p->flags & PKT_STREAM_EST)) ||
+                (p->proto == IPPROTO_UDP) ||
+                (p->proto == IPPROTO_SCTP && (p->flowflags & FLOW_PKT_ESTABLISHED)))
+        {
+            FilePrune(ffc);
+        }
    }

    return TM_ECODE_OK;