From 47eacf3deefd0b76e80d44f7fae6ef0982c20553 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 16 Jan 2025 14:10:39 -0600 Subject: [PATCH] ndpi: check for flow earlier in eve callback The eve callback in ndpi requires a flow, so bail earlier if there is no flow. --- plugins/ndpi/ndpi.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/plugins/ndpi/ndpi.c b/plugins/ndpi/ndpi.c index 55fbeb2c8336..56fe0e69a793 100644 --- a/plugins/ndpi/ndpi.c +++ b/plugins/ndpi/ndpi.c @@ -440,6 +440,11 @@ static void DetectnDPIRiskFree(DetectEngineCtx *de_ctx, void *ptr) static void EveCallback(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *jb, void *data) { + /* Adding ndpi info to EVE requires a flow. */ + if (f == NULL) { + return; + } + struct NdpiThreadContext *threadctx = ThreadGetStorageById(tv, thread_storage_id); struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id); ndpi_serializer serializer; @@ -448,9 +453,6 @@ static void EveCallback(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *j SCLogDebug("EveCallback: tv=%p, p=%p, f=%p", tv, p, f); - if (f == NULL) - return; - ndpi_init_serializer(&serializer, ndpi_serialization_format_inner_json); /* Use ndpi_dpi2json to get a JSON with nDPI metadata */