[PATCH 1/2] output: optimize loop for finding alert http xff

Ticket: 8156

In case of non-tx alerts, we try to loop over all the txs to find
the xff header. Do not start from tx_id 0, but from min_id
as AppLayerParserTransactionsCleanup to skip txs that were freed

(cherry picked from commit 3b1a6c1711b8f7d0bde4cb05f15cf50c751eda60)

Origin: upstream, https://github.com/OISF/suricata/commit/44d0c81f537f230e9215c769453fb4d7214217a1.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8156
Subject: Upstream fix for CVE-2026-22261 part 1

Gbp-Pq: Name CVE-2026-22261_1.patch

diff --git a/src/app-layer-htp-xff.c b/src/app-layer-htp-xff.c
index c145e5818e23377836589b2c4c2db0f7de64a169..6eae5b1b3848c297cfc8d19b7218572d008b7c0c 100644 (file)
--- a/src/app-layer-htp-xff.c
+++ b/src/app-layer-htp-xff.c
@@ -180,7 +180,7 @@ int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
 int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
 {
     HtpState *htp_state = NULL;
-    uint64_t tx_id = 0;
+    uint64_t tx_id = AppLayerParserGetMinId(f->alparser);
     uint64_t total_txs = 0;
 
     htp_state = (HtpState *)FlowGetAppState(f);

diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index b3b9678525fafe9375666f19f750b714939f3a3f..df96741005242706a5707daa5b8585a576f424b4 100644 (file)
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -716,6 +716,13 @@ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
     SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
 }
 
+uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate)
+{
+    SCEnter();
+
+    SCReturnCT((pstate == NULL) ? 0 : pstate->min_id, "uint64_t");
+}
+
 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
 {
     SCEnter();

diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h
index d27a08c85119130a626093c0779ce06d0f0dd68a..af8b2a88fb7825a34218bab8beb0e2f682a6e4d2 100644 (file)
--- a/src/app-layer-parser.h
+++ b/src/app-layer-parser.h
@@ -228,6 +228,7 @@ void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto a
 
 
 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate);
+uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate);
 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id);
 
 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction);