git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Tue, 24 Mar 2015 14:36:39 +0000 (15:36 +0100)
committer	Victor Julien <victor@inliniac.net>
	Mon, 11 May 2015 10:55:26 +0000 (12:55 +0200)
commit	37f0bd57b68f888689e1fb664d6dd05054cc7d9f
tree	0c5596356a7c4060760170f16028e9c52c2a7ec8	tree
parent	bc6e4140befa80080777c41040eb47f9b6e05129	commit \| diff

detect-state: handle duplicate inspect/match

If for a packet we have a TX N that has detect state and a TX N+1 that
has no detect state, but does have 'progress', we have a corner case
in stateful detection.

ContinueDetection inspects TX N, but cannot flag the rule in the
de_state_sig_array as the next (TX N+1) has already started and needs
to be inspected. 'StartDetection' however, is then unaware of the fact
that ContinueDetection already inspected the rule. It uses the per
session 'inspect_id' that is only moved forward at the end of the
detection run.

This patch adds a workaround. It uses the DetectEngineThreadCtx::
de_state_sig_array to store an offset between the 'base' inspect_id
and the inspect_id that StartDetection should use. The data type is
limited, so if the offset would be too big, a search based fall back
is implemented as well.

src/detect-engine-state.c		diff \| blob \| blame \| history
src/detect-engine-state.h		diff \| blob \| blame \| history
src/detect.c		diff \| blob \| blame \| history