From 34bb107f2c450c1a5d48ed76235ba98a344de72b Mon Sep 17 00:00:00 2001 From: Pablo Rincon Date: Wed, 21 Jul 2010 19:57:49 +0200 Subject: [PATCH] Fix for bug 207 (depth/offset not correctly updated on certain cases) --- src/detect-content.c | 31 ++++++++++++++++++++----------- src/detect-depth.c | 26 ++++++++++++-------------- src/detect-offset.c | 32 ++++++++++++++------------------ src/detect-uricontent.c | 14 +++++++------- 4 files changed, 53 insertions(+), 50 deletions(-) diff --git a/src/detect-content.c b/src/detect-content.c index 461dac410b..7bfc1ae49c 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -1134,7 +1134,8 @@ int DetectContentParseTest19(void) data->flags & DETECT_CONTENT_WITHIN || !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } @@ -1161,7 +1162,8 @@ int DetectContentParseTest19(void) !(data->flags & DETECT_CONTENT_WITHIN) || data->flags & DETECT_CONTENT_DISTANCE || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } @@ -1190,22 +1192,24 @@ int DetectContentParseTest19(void) !(data->flags & DETECT_CONTENT_WITHIN) || data->flags & DETECT_CONTENT_DISTANCE || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } - result &= (data->within == 10 && data->offset == 10 && data->depth == 13); + result &= (data->within == 10 && data->offset == 10 && data->depth == 23); data = (DetectContentData *)s->dmatch->ctx; if (data->flags & DETECT_CONTENT_RAWBYTES || data->flags & DETECT_CONTENT_NOCASE || data->flags & DETECT_CONTENT_WITHIN || !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } - result &= (data->offset == 5 && data->depth == 9); + result &= (data->offset == 5 && data->depth == 14); s->next = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"Testing bytejump_body\"; " @@ -1230,7 +1234,8 @@ int DetectContentParseTest19(void) data->flags & DETECT_CONTENT_WITHIN || !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } @@ -1259,7 +1264,8 @@ int DetectContentParseTest19(void) !(data->flags & DETECT_CONTENT_WITHIN) || !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } @@ -1287,7 +1293,8 @@ int DetectContentParseTest19(void) data->flags & DETECT_CONTENT_WITHIN || !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } @@ -1315,7 +1322,8 @@ int DetectContentParseTest19(void) data->flags & DETECT_CONTENT_WITHIN || !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } @@ -1343,7 +1351,8 @@ int DetectContentParseTest19(void) data->flags & DETECT_CONTENT_WITHIN || !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || - data->flags & DETECT_CONTENT_NEGATED ) { + data->flags & DETECT_CONTENT_NEGATED || + result == 0) { result = 0; goto end; } diff --git a/src/detect-depth.c b/src/detect-depth.c index 5b556f6e68..b967e28fdf 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -104,14 +104,13 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths return -1; } ud->depth = (uint32_t)atoi(str); - if (ud->uricontent_len + ud->offset > ud->depth) { - uint32_t depth = (ud->depth > ud->uricontent_len) ? - ud->depth : ud->uricontent_len; - ud->depth = ud->offset + depth; - - SCLogDebug("depth increased to %"PRIu32" to match pattern len " - "and offset", ud->depth); + if (ud->depth < ud->uricontent_len) { + ud->depth = ud->uricontent_len; + SCLogDebug("depth increased to %"PRIu32" to match pattern len ", + ud->depth); } + /* Now update the real limit, as depth is relative to the offset */ + ud->depth += ud->offset; } break; @@ -124,14 +123,13 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths return -1; } cd->depth = (uint32_t)atoi(str); - if (cd->content_len + cd->offset > cd->depth) { - uint32_t depth = (cd->depth > cd->content_len) ? - cd->depth : cd->content_len; - cd->depth = cd->offset + depth; - - SCLogDebug("depth increased to %"PRIu32" to match pattern len " - "and offset", cd->depth); + if (cd->depth < cd->content_len) { + cd->depth = cd->content_len; + SCLogDebug("depth increased to %"PRIu32" to match pattern len ", + cd->depth); } + /* Now update the real limit, as depth is relative to the offset */ + cd->depth += cd->offset; } break; diff --git a/src/detect-offset.c b/src/detect-offset.c index 6a4351b313..ab20207a1a 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -104,16 +104,14 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) return -1; } ud->offset = (uint32_t)atoi(str); - if (ud->depth != 0 && (ud->uricontent_len + ud->offset) > ud->depth) { - if (ud->depth > ud->uricontent_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len" - " and offset", ud->depth + ud->offset); - ud->depth += ud->offset; - } else { - SCLogDebug("depth increased to %"PRIu32" to match pattern len" - " and offset", ud->uricontent_len + ud->offset); - ud->depth = ud->uricontent_len + ud->offset; + if (ud->depth != 0) { + if (ud->depth < ud->uricontent_len) { + SCLogDebug("depth increased to %"PRIu32" to match pattern len", + ud->uricontent_len); + ud->depth = ud->uricontent_len; } + /* Updating the depth as is relative to the offset */ + ud->depth += ud->offset; } break; @@ -125,16 +123,14 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) return -1; } cd->offset = (uint32_t)atoi(str); - if (cd->depth != 0 && (cd->content_len + cd->offset) > cd->depth) { - if (cd->depth > cd->content_len) { - SCLogDebug("depth increased to %"PRIu32" to match pattern len" - " and offset", cd->depth + cd->offset); - cd->depth += cd->offset; - } else { - SCLogDebug("depth increased to %"PRIu32" to match pattern len" - " and offset", cd->content_len + cd->offset); - cd->depth = cd->content_len + cd->offset; + if (cd->depth != 0) { + if (cd->depth < cd->content_len) { + SCLogDebug("depth increased to %"PRIu32" to match pattern len", + cd->content_len); + cd->depth = cd->content_len; } + /* Updating the depth as is relative to the offset */ + cd->depth += cd->offset; } break; diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index dbca25e2ca..b2c9747bd2 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -1090,7 +1090,7 @@ static int DetectUriSigTest04(void) { if (s == NULL || s->umatch == NULL || s->pmatch == NULL || - ((DetectContentData *)s->pmatch->ctx)->depth != 10 || + ((DetectContentData *)s->pmatch->ctx)->depth != 15 || ((DetectContentData *)s->pmatch->ctx)->offset != 5 || s->match != NULL) { @@ -1105,7 +1105,7 @@ static int DetectUriSigTest04(void) { if (s == NULL || s->umatch == NULL || s->pmatch == NULL || - ((DetectUricontentData *)s->umatch->ctx)->depth != 10 || + ((DetectUricontentData *)s->umatch->ctx)->depth != 15 || ((DetectUricontentData *)s->umatch->ctx)->offset != 5 || s->match != NULL) { @@ -1140,7 +1140,7 @@ static int DetectUriSigTest04(void) { goto end; } else if (s->umatch == NULL || s->pmatch == NULL || - ((DetectContentData*) s->pmatch->ctx)->depth != 10 || + ((DetectContentData*) s->pmatch->ctx)->depth != 15 || ((DetectContentData*) s->pmatch->ctx)->offset != 5 || ((DetectContentData*) s->pmatch_tail->ctx)->within != 30 || s->match != NULL) @@ -1159,7 +1159,7 @@ static int DetectUriSigTest04(void) { goto end; } else if (s->umatch == NULL || s->pmatch == NULL || - ((DetectContentData*) s->pmatch->ctx)->depth != 10 || + ((DetectContentData*) s->pmatch->ctx)->depth != 15 || ((DetectContentData*) s->pmatch->ctx)->offset != 5 || ((DetectUricontentData*) s->umatch_tail->ctx)->within != 30 || s->match != NULL) @@ -1179,7 +1179,7 @@ static int DetectUriSigTest04(void) { } else if ( s->umatch == NULL || s->pmatch == NULL || - ((DetectContentData*) s->pmatch->ctx)->depth != 10 || + ((DetectContentData*) s->pmatch->ctx)->depth != 15 || ((DetectContentData*) s->pmatch->ctx)->offset != 5 || ((DetectContentData*) s->pmatch_tail->ctx)->distance != 30 || s->match != NULL) @@ -1199,7 +1199,7 @@ static int DetectUriSigTest04(void) { } else if ( s->umatch == NULL || s->pmatch == NULL || - ((DetectContentData*) s->pmatch->ctx)->depth != 10 || + ((DetectContentData*) s->pmatch->ctx)->depth != 15 || ((DetectContentData*) s->pmatch->ctx)->offset != 5 || ((DetectContentData*) s->umatch_tail->ctx)->distance != 30 || s->match != NULL) @@ -1226,7 +1226,7 @@ static int DetectUriSigTest04(void) { goto end; } - if ( ((DetectContentData*) s->pmatch->ctx)->depth != 10 || + if ( ((DetectContentData*) s->pmatch->ctx)->depth != 15 || ((DetectContentData*) s->pmatch->ctx)->offset != 5 || ((DetectUricontentData*) s->umatch_tail->ctx)->distance != 30 || ((DetectUricontentData*) s->umatch_tail->ctx)->within != 60 ||