From 7638b918c926d5c668290074184f50c4628d33ae Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 9 Dec 2025 09:21:58 +0100 Subject: [PATCH] [PATCH 1/2] output: optimize loop for finding alert http xff Ticket: 8156 In case of non-tx alerts, we try to loop over all the txs to find the xff header. Do not start from tx_id 0, but from min_id as AppLayerParserTransactionsCleanup to skip txs that were freed (cherry picked from commit 3b1a6c1711b8f7d0bde4cb05f15cf50c751eda60) Origin: upstream, https://github.com/OISF/suricata/commit/44d0c81f537f230e9215c769453fb4d7214217a1.patch Bug: https://redmine.openinfosecfoundation.org/issues/8156 Subject: Upstream fix for CVE-2026-22261 part 1 Gbp-Pq: Name CVE-2026-22261_1.patch --- src/app-layer-htp-xff.c | 2 +- src/app-layer-parser.c | 7 +++++++ src/app-layer-parser.h | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/app-layer-htp-xff.c b/src/app-layer-htp-xff.c index c145e581..6eae5b1b 100644 --- a/src/app-layer-htp-xff.c +++ b/src/app-layer-htp-xff.c @@ -180,7 +180,7 @@ int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen) { HtpState *htp_state = NULL; - uint64_t tx_id = 0; + uint64_t tx_id = AppLayerParserGetMinId(f->alparser); uint64_t total_txs = 0; htp_state = (HtpState *)FlowGetAppState(f); diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index b3b96785..df967410 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -716,6 +716,13 @@ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate) SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t"); } +uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate) +{ + SCEnter(); + + SCReturnCT((pstate == NULL) ? 0 : pstate->min_id, "uint64_t"); +} + void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id) { SCEnter(); diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index d27a08c8..af8b2a88 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -228,6 +228,7 @@ void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto a uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate); +uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate); void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id); uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction); -- 2.30.2