file handling: filemagic matching improvement

Magic buffer is a null terminated string. Allow matching on the final \0 using filemagic:"somevalue|00|"; so we can anchor to the end of the buffer.
14 years ago · f3fbc1a44c
parent 2ccd35c6e4
commit f3fbc1a44c
1 changed files with 3 additions and 1 deletions
--- a/src/detect-filemagic.c
+++ b/src/detect-filemagic.c
@ -156,8 +156,10 @@ int DetectFilemagicMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f
    if (file->magic != NULL) {
        SCLogDebug("magic %s", file->magic);

+        /* we include the \0 in the inspection, so patterns can match on the
+         * end of the string. */
        if (BoyerMooreNocase(filemagic->name, filemagic->len, (uint8_t *)file->magic,
-                    strlen(file->magic), filemagic->bm_ctx->bmGs,
+                    strlen(file->magic) + 1, filemagic->bm_ctx->bmGs,
                    filemagic->bm_ctx->bmBc) != NULL)
        {
 #ifdef DEBUG