Pull request #3673: IPS options: mismatched option keeps cursor intact

Merge in SNORT/snort3 from ~YVELYKOZ/snort3:sse_negation_handling to master

Squashed commit of the following:

commit 5c65144c0dc2126e58aecd2148ac2c09d3645bbd
Author: Yehor Velykozhon <yvelykoz@cisco.com>
Date:   Thu Nov 17 18:52:18 2022 +0200

    ips_option: keep cursor intact for a negated hash mismatched

commit 02eb93f9bfea0bf4d657de2aa3b94a714f4cdc52
Author: Yehor Velykozhon <yvelykoz@cisco.com>
Date:   Thu Nov 17 17:12:37 2022 +0200

    ips_option: keep cursor intact for a negated content mismatched

diff --git a/src/ips_options/ips_content.cc b/src/ips_options/ips_content.cc
index acd2e19e46b21d737c04ab4115e9323c96202150..eb02d597b50b26da7a0bedd4eebde226a35367b0 100644 (file)
--- a/src/ips_options/ips_content.cc
+++ b/src/ips_options/ips_content.cc
@@ -353,8 +353,11 @@ static int uniSearchReal(ContentData* cd, Cursor& c)
 
     if ( found >= 0 )
     {
-        c.set_delta(c.get_delta() + found + cd->match_delta);
-        c.set_pos(pos + found + cd->pmd.pattern_size);
+        if ( !cd->pmd.is_negated() )
+        {
+            c.set_delta(c.get_delta() + found + cd->match_delta);
+            c.set_pos(pos + found + cd->pmd.pattern_size);
+        }
         return 1;
     }
 

diff --git a/src/ips_options/ips_hash.cc b/src/ips_options/ips_hash.cc
index 5870e85ecef03507644532f777ef2f2c6110c1b0..79cae4694c1677c53ee08595efe42f79aa44bc98 100644 (file)
--- a/src/ips_options/ips_hash.cc
+++ b/src/ips_options/ips_hash.cc
@@ -183,7 +183,9 @@ int HashOption::match(Cursor& c)
 
     if ( !found )
     {
-        c.set_pos(pos + config->length);
+        if ( !config->negated )
+            c.set_pos(pos + config->length);
+
         return 1;
     }