detect/base64_data: reset buffer offset

When in a `base64_decode`-`base64_data` pair the decode was depending on another match through the relative option, the `buffer_offset` would be updated to the relative position of the previous match. During the `base64_data` phase, a relative match would use that offset even though the match happened in a new buffer. Example:: http.request_body; content:"|27|"; \ base64_decode:relative; \ base64_data; content:"|ff ff ff ff|"; within:16; This use of the `buffer_offset` is incorrect as that value is relative to a buffer and the `base64_data` points to a new buffer. This patch addresses this by resetting DetectEngineThreadCtx::buffer_offset before inspecting `base64_data`. Bug: #7842. (cherry picked from commit 5f92a6cac3)
3 months ago · c86cefced4
parent d782b432af
commit c86cefced4
1 changed files with 2 additions and 0 deletions
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@ -694,6 +694,8 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
        if (DetectBase64DecodeDoMatch(det_ctx, s, smd, buffer, buffer_len)) {
            if (s->sm_arrays[DETECT_SM_LIST_BASE64_DATA] != NULL) {
                if (det_ctx->base64_decoded_len) {
+                    /* reset buffer offset, as we treat this like a new buffer */
+                    det_ctx->buffer_offset = 0;
                    KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
                    int r = DetectEngineContentInspectionInternal(det_ctx, ctx, s,
                            s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f,