ndpi: check for flow earlier in eve callback

The eve callback in ndpi requires a flow, so bail earlier if there is no flow.
OISF · Jan 16, 2025 · 47eacf3 · 47eacf3
1 parent ad50851
commit 47eacf3
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/plugins/ndpi/ndpi.c b/plugins/ndpi/ndpi.c
@@ -440,6 +440,11 @@ static void DetectnDPIRiskFree(DetectEngineCtx *de_ctx, void *ptr)
 
 static void EveCallback(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *jb, void *data)
 {
+    /* Adding ndpi info to EVE requires a flow. */
+    if (f == NULL) {
+        return;
+    }
+
     struct NdpiThreadContext *threadctx = ThreadGetStorageById(tv, thread_storage_id);
     struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id);
     ndpi_serializer serializer;
@@ -448,9 +453,6 @@ static void EveCallback(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *j
 
     SCLogDebug("EveCallback: tv=%p, p=%p, f=%p", tv, p, f);
 
-    if (f == NULL)
-        return;
-
     ndpi_init_serializer(&serializer, ndpi_serialization_format_inner_json);
 
     /* Use ndpi_dpi2json to get a JSON with nDPI metadata */