From: Jeff Lucovsky Date: Sat, 7 Jun 2025 13:25:52 +0000 (-0400) Subject: detect: Ensure byte* variable usages is for same buffers X-Git-Tag: suricata-8.0.0-rc1~124 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd4e728b773634ef9459ee6ef65ef227d8c2c6ac;p=thirdparty%2Fsuricata.git detect: Ensure byte* variable usages is for same buffers Issue: 7549 Use the active buffer list to fetch SM variables to ensure that they are part of the same list so a variable created with bytemath or byteextract will have context when used with bytejump, e.g Not needed for content modifiers. --- diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 82f79f2556..701feff4cb 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -372,7 +372,7 @@ static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr) * * \retval A pointer to the SigMatch if found, otherwise NULL. */ -SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s) +SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, int sm_list, const Signature *s) { for (uint32_t x = 0; x < s->init_data->buffer_index; x++) { SigMatch *sm = s->init_data->buffers[x].head; @@ -390,7 +390,8 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s) for (int list = 0; list < DETECT_SM_LIST_MAX; list++) { SigMatch *sm = s->init_data->smlists[list]; while (sm != NULL) { - if (sm->type == DETECT_BYTE_EXTRACT) { + // Make sure that the linked buffers ore on the same list + if (sm->type == DETECT_BYTE_EXTRACT && (sm_list == -1 || sm_list == list)) { const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx; if (strcmp(bed->name, arg) == 0) { return sm; diff --git a/src/detect-byte-extract.h b/src/detect-byte-extract.h index 7899d5eb9c..2214e81bbb 100644 --- a/src/detect-byte-extract.h +++ b/src/detect-byte-extract.h @@ -26,7 +26,7 @@ void DetectByteExtractRegister(void); -SigMatch *DetectByteExtractRetrieveSMVar(const char *, const Signature *); +SigMatch *DetectByteExtractRetrieveSMVar(const char *, int sm_list, const Signature *); int DetectByteExtractDoMatch(DetectEngineThreadCtx *, const SigMatchData *, const Signature *, const uint8_t *, uint32_t, uint64_t *, uint8_t); diff --git a/src/detect-byte.c b/src/detect-byte.c index 506909adc3..3f8735b119 100644 --- a/src/detect-byte.c +++ b/src/detect-byte.c @@ -32,20 +32,22 @@ * * \param arg The name of the variable being sought * \param s The signature to check for the variable + * \param sm_list The caller's matching buffer * \param index When found, the value of the slot within the byte vars * * \retval true A match for the variable was found. * \retval false */ -bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index) +bool DetectByteRetrieveSMVar( + const char *arg, const Signature *s, int sm_list, DetectByteIndexType *index) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(arg, s); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(arg, sm_list, s); if (bed_sm != NULL) { *index = ((SCDetectByteExtractData *)bed_sm->ctx)->local_id; return true; } - SigMatch *bmd_sm = DetectByteMathRetrieveSMVar(arg, s); + SigMatch *bmd_sm = DetectByteMathRetrieveSMVar(arg, sm_list, s); if (bmd_sm != NULL) { *index = ((DetectByteMathData *)bmd_sm->ctx)->local_id; return true; diff --git a/src/detect-byte.h b/src/detect-byte.h index b6b1de03a0..fd25188512 100644 --- a/src/detect-byte.h +++ b/src/detect-byte.h @@ -27,6 +27,6 @@ typedef uint8_t DetectByteIndexType; -bool DetectByteRetrieveSMVar(const char *, const Signature *, DetectByteIndexType *); +bool DetectByteRetrieveSMVar(const char *, const Signature *, int sm_list, DetectByteIndexType *); #endif /* SURICATA_DETECT_BYTE_H */ diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 0efdc44999..6b0363f098 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -544,7 +544,7 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (nbytes != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(nbytes, s, &index)) { + if (!DetectByteRetrieveSMVar(nbytes, s, sm_list, &index)) { SCLogError("Unknown byte_extract var " "seen in byte_jump - %s", nbytes); @@ -557,7 +557,7 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (offset != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(offset, s, &index)) { + if (!DetectByteRetrieveSMVar(offset, s, sm_list, &index)) { SCLogError("Unknown byte_extract var " "seen in byte_jump - %s", offset); diff --git a/src/detect-bytemath.c b/src/detect-bytemath.c index 140cbb8510..053e07f28b 100644 --- a/src/detect-bytemath.c +++ b/src/detect-bytemath.c @@ -359,7 +359,7 @@ static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (nbytes != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(nbytes, s, &index)) { + if (!DetectByteRetrieveSMVar(nbytes, s, sm_list, &index)) { SCLogError("unknown byte_ keyword var seen in byte_math - %s", nbytes); goto error; } @@ -371,7 +371,7 @@ static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (rvalue != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(rvalue, s, &index)) { + if (!DetectByteRetrieveSMVar(rvalue, s, sm_list, &index)) { SCLogError("unknown byte_ keyword var seen in byte_math - %s", rvalue); goto error; } @@ -441,7 +441,7 @@ static void DetectByteMathFree(DetectEngineCtx *de_ctx, void *ptr) * * \retval A pointer to the SigMatch if found, otherwise NULL. */ -SigMatch *DetectByteMathRetrieveSMVar(const char *arg, const Signature *s) +SigMatch *DetectByteMathRetrieveSMVar(const char *arg, int sm_list, const Signature *s) { for (uint32_t x = 0; x < s->init_data->buffer_index; x++) { SigMatch *sm = s->init_data->buffers[x].head; @@ -460,7 +460,8 @@ SigMatch *DetectByteMathRetrieveSMVar(const char *arg, const Signature *s) for (int list = 0; list < DETECT_SM_LIST_MAX; list++) { SigMatch *sm = s->init_data->smlists[list]; while (sm != NULL) { - if (sm->type == DETECT_BYTEMATH) { + // Make sure that the linked buffers ore on the same list + if (sm->type == DETECT_BYTEMATH && (sm_list == -1 || sm_list == list)) { const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx; if (strcmp(bmd->result, arg) == 0) { SCLogDebug("Retrieved SM for \"%s\"", arg); diff --git a/src/detect-bytemath.h b/src/detect-bytemath.h index 347c0e4672..85ac9077ee 100644 --- a/src/detect-bytemath.h +++ b/src/detect-bytemath.h @@ -26,7 +26,7 @@ void DetectBytemathRegister(void); -SigMatch *DetectByteMathRetrieveSMVar(const char *, const Signature *); +SigMatch *DetectByteMathRetrieveSMVar(const char *, int sm_list, const Signature *); int DetectByteMathDoMatch(DetectEngineThreadCtx *, const DetectByteMathData *, const Signature *, const uint8_t *, const uint32_t, uint8_t, uint64_t, uint64_t *, uint8_t); diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index faf4804373..7714e7b0ff 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -646,7 +646,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (value != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(value, s, &index)) { + if (!DetectByteRetrieveSMVar(value, s, sm_list, &index)) { SCLogError("Unknown byte_extract var " "seen in byte_test - %s", value); @@ -660,7 +660,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (offset != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(offset, s, &index)) { + if (!DetectByteRetrieveSMVar(offset, s, sm_list, &index)) { SCLogError("Unknown byte_extract var " "seen in byte_test - %s", offset); @@ -674,7 +674,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (nbytes != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(nbytes, s, &index)) { + if (!DetectByteRetrieveSMVar(nbytes, s, sm_list, &index)) { SCLogError("Unknown byte_extract var " "seen in byte_test - %s", nbytes); diff --git a/src/detect-depth.c b/src/detect-depth.c index 1c4f94a396..7c0bf5bfe5 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -106,7 +106,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, const char * } if (str[0] != '-' && isalpha((unsigned char)str[0])) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(str, s, &index)) { + if (!DetectByteRetrieveSMVar(str, s, -1, &index)) { SCLogError("unknown byte_ keyword var " "seen in depth - %s.", str); diff --git a/src/detect-distance.c b/src/detect-distance.c index 1ed66b1245..43b48ba799 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -108,7 +108,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, } if (str[0] != '-' && isalpha((unsigned char)str[0])) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(str, s, &index)) { + if (!DetectByteRetrieveSMVar(str, s, -1, &index)) { SCLogError("unknown byte_ keyword var " "seen in distance - %s", str); diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index cfc57940c1..3e9841314e 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -532,12 +532,15 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx, if (bjflags & DETECT_BYTEJUMP_OFFSET_VAR) { offset = det_ctx->byte_values[offset]; + SCLogDebug("[BJ] using offset value %d", offset); } if (bjflags & DETECT_BYTEJUMP_NBYTES_VAR) { nbytes = det_ctx->byte_values[bjd->nbytes]; + SCLogDebug("[BJ] using nbytes value %d [index %d]", nbytes, bjd->nbytes); } else { nbytes = bjd->nbytes; + SCLogDebug("[BJ] using nbytes value %d [index n/a]", nbytes); } /* if we have dce enabled we will have to use the endianness diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 03516ec6f7..a958a829e8 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -347,7 +347,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, const char *isda if (offset != NULL) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(offset, s, &index)) { + if (!DetectByteRetrieveSMVar(offset, s, -1, &index)) { SCLogError("Unknown byte_extract var " "seen in isdataat - %s\n", offset); diff --git a/src/detect-offset.c b/src/detect-offset.c index dd56e9a482..91d02b2882 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -92,7 +92,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, const char *offset } if (str[0] != '-' && isalpha((unsigned char)str[0])) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(str, s, &index)) { + if (!DetectByteRetrieveSMVar(str, s, -1, &index)) { SCLogError("unknown byte_ keyword var " "seen in offset - %s.", str); diff --git a/src/detect-within.c b/src/detect-within.c index 91662e070f..f18a9347db 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -104,7 +104,7 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, const char * } if (str[0] != '-' && isalpha((unsigned char)str[0])) { DetectByteIndexType index; - if (!DetectByteRetrieveSMVar(str, s, &index)) { + if (!DetectByteRetrieveSMVar(str, s, -1, &index)) { SCLogError("unknown byte_ keyword var " "seen in within - %s", str); diff --git a/src/util-lua-bytevarlib.c b/src/util-lua-bytevarlib.c index e310f43f6d..bea9a4ce94 100644 --- a/src/util-lua-bytevarlib.c +++ b/src/util-lua-bytevarlib.c @@ -55,7 +55,7 @@ static int LuaBytevarMap(lua_State *L) } DetectByteIndexType idx; - if (!DetectByteRetrieveSMVar(name, s, &idx)) { + if (!DetectByteRetrieveSMVar(name, s, -1, &idx)) { luaL_error(L, "unknown byte_extract or byte_math variable: %s", name); }