detect/pcre: avoid infinite loop after negated pcre

Ticket: 7526

The usage of negated pcre, followed by other relative payload
content keywords could lead to an infinite loop.

This is because regular (not negated) pcre can test multiple
occurences, but negated pcre should be tried only once.

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index dbc18c298035f6e3315dd8d899fdb11862171cf8..6ccc5e533efbd9b4969eb3550e1215c8e827072d 100644 (file)
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -457,7 +457,6 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
             if (r == 0) {
                 goto no_match;
             }
-
             if (!(pe->flags & DETECT_PCRE_RELATIVE_NEXT)) {
                 SCLogDebug("no relative match coming up, so this is a match");
                 goto match;
@@ -478,6 +477,11 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
                 SCReturnInt(-1);
             }
 
+            if (prev_offset == 0) {
+                // This happens for negated PCRE
+                // We do not search for another occurrence of this pcre
+                SCReturnInt(0);
+            }
             det_ctx->buffer_offset = prev_buffer_offset;
             det_ctx->pcre_match_start_offset = prev_offset;
         } while (1);