]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
detect: fix content inspection flags 3584/head
authorVictor Julien <victor@inliniac.net>
Thu, 13 Dec 2018 10:23:03 +0000 (11:23 +0100)
committerVictor Julien <victor@inliniac.net>
Fri, 14 Dec 2018 14:20:30 +0000 (15:20 +0100)
Fix generic inspect function content inspection flags so that
streaming buffers work correctly.

src/detect-engine.c

index fd087007989cc47accacc44fc7524d2d9de5fc12..5731b01c263a225ee7881709a0126a1439c06f70 100644 (file)
@@ -1250,6 +1250,8 @@ int DetectEngineInspectBufferGeneric(
     const int list_id = engine->sm_list;
     SCLogDebug("running inspect on %d", list_id);
 
+    const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
+
     SCLogDebug("list %d mpm? %s transforms %p",
             engine->sm_list, engine->mpm ? "true" : "false", engine->v2.transforms);
 
@@ -1261,17 +1263,18 @@ int DetectEngineInspectBufferGeneric(
 
     const InspectionBuffer *buffer = engine->v2.GetData(det_ctx, transforms,
             f, flags, txv, list_id);
-    if (buffer == NULL) {
-        if (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress)
-            return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-        else
-            return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+    if (unlikely(buffer == NULL)) {
+        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
+                     DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
     }
 
     const uint32_t data_len = buffer->inspect_len;
     const uint8_t *data = buffer->inspect;
     const uint64_t offset = buffer->inspect_offset;
 
+    uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
+    ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
+
     det_ctx->discontinue_matching = 0;
     det_ctx->buffer_offset = 0;
     det_ctx->inspection_recursion_counter = 0;
@@ -1281,15 +1284,13 @@ int DetectEngineInspectBufferGeneric(
     int r = DetectEngineContentInspection(de_ctx, det_ctx,
                                           s, engine->smd,
                                           f,
-                                          (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE,
+                                          (uint8_t *)data, data_len, offset, ci_flags,
                                           DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
     if (r == 1) {
         return DETECT_ENGINE_INSPECT_SIG_MATCH;
     } else {
-        if (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress)
-            return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-        else
-            return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+        return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
+                     DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
     }
 }