detect: fix content inspection flags

Fix generic inspect function content inspection flags so that streaming buffers work correctly.
6 years ago · ad1945aae4
parent 394e115036
commit ad1945aae4
1 changed files with 11 additions and 10 deletions
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -1250,6 +1250,8 @@ int DetectEngineInspectBufferGeneric(
    const int list_id = engine->sm_list;
    SCLogDebug("running inspect on %d", list_id);

+    const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
+
    SCLogDebug("list %d mpm? %s transforms %p",
            engine->sm_list, engine->mpm ? "true" : "false", engine->v2.transforms);

@ -1261,17 +1263,18 @@ int DetectEngineInspectBufferGeneric(

    const InspectionBuffer *buffer = engine->v2.GetData(det_ctx, transforms,
            f, flags, txv, list_id);
-    if (buffer == NULL) {
-        if (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress)
-            return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-        else
-            return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+    if (unlikely(buffer == NULL)) {
+        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
+                     DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
    }

    const uint32_t data_len = buffer->inspect_len;
    const uint8_t *data = buffer->inspect;
    const uint64_t offset = buffer->inspect_offset;

+    uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
+    ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
+
    det_ctx->discontinue_matching = 0;
    det_ctx->buffer_offset = 0;
    det_ctx->inspection_recursion_counter = 0;
@ -1281,15 +1284,13 @@ int DetectEngineInspectBufferGeneric(
    int r = DetectEngineContentInspection(de_ctx, det_ctx,
                                          s, engine->smd,
                                          f,
-                                          (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE,
+                                          (uint8_t *)data, data_len, offset, ci_flags,
                                          DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
    if (r == 1) {
        return DETECT_ENGINE_INSPECT_SIG_MATCH;
    } else {
-        if (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress)
-            return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-        else
-            return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
+                     DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
    }
 }