]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
detect: track base id for xform buffers
authorVictor Julien <victor@inliniac.net>
Thu, 25 Feb 2021 19:06:40 +0000 (20:06 +0100)
committerVictor Julien <victor@inliniac.net>
Thu, 24 Jun 2021 11:34:47 +0000 (13:34 +0200)
Buffers with transforms are based on the non-transformed "base"
buffer, with a new ID assigned and the transform callbacks added.

This patch stores the id of the original buffer in the new buffer
inspect and prefilter structures. This way the buffers with and
without transforms can share some of the logic are progression
of file and body inspection trackers.

Related tickets: #4361 #4199 #3616

(cherry picked from commit 975062cf401f79c00abf728d923c65aabd143af2)

src/detect-engine-mpm.c
src/detect-engine.c
src/detect.h

index e5124d6bae65aa3a853d535dfceed61c556c1d84..9ef554c7345a64d51498af775ef3d5852c1dbe3e 100644 (file)
@@ -116,6 +116,7 @@ void DetectAppLayerMpmRegister2(const char *name,
     snprintf(am->pname, sizeof(am->pname), "%s", am->name);
     am->direction = direction;
     am->sm_list = sm_list;
+    am->sm_list_base = sm_list;
     am->priority = priority;
     am->type = DETECT_BUFFER_MPM_TYPE_APP;
 
@@ -155,6 +156,7 @@ void DetectAppLayerMpmRegisterByParentId(DetectEngineCtx *de_ctx,
             am->name = t->name;
             am->direction = t->direction;
             am->sm_list = id; // use new id
+            am->sm_list_base = t->sm_list;
             am->type = DETECT_BUFFER_MPM_TYPE_APP;
             am->PrefilterRegisterWithListId = t->PrefilterRegisterWithListId;
             am->app_v2.GetData = t->app_v2.GetData;
@@ -349,6 +351,7 @@ void DetectPktMpmRegisterByParentId(DetectEngineCtx *de_ctx,
             am->name = t->name;
             snprintf(am->pname, sizeof(am->pname), "%s#%d", am->name, id);
             am->sm_list = id; // use new id
+            am->sm_list_base = t->sm_list;
             am->type = DETECT_BUFFER_MPM_TYPE_PKT;
             am->PrefilterRegisterWithListId = t->PrefilterRegisterWithListId;
             am->pkt_v1.GetData = t->pkt_v1.GetData;
index 721943c4d067ef0815fde3da7b0569f29e42e69c..e91c9924713491d5cd31c10d6104aaa54d18b173 100644 (file)
@@ -154,6 +154,7 @@ void DetectPktInspectEngineRegister(const char *name,
             "failed to register inspect engine %s: %s", name, strerror(errno));
     }
     new_engine->sm_list = sm_list;
+    new_engine->sm_list_base = sm_list;
     new_engine->v1.Callback = Callback;
     new_engine->v1.GetData = GetPktData;
 
@@ -274,6 +275,7 @@ void DetectAppLayerInspectEngineRegister2(const char *name,
     new_engine->alproto = alproto;
     new_engine->dir = direction;
     new_engine->sm_list = sm_list;
+    new_engine->sm_list_base = sm_list;
     new_engine->progress = progress;
     new_engine->v2.Callback = Callback2;
     new_engine->v2.GetData = GetData;
@@ -306,6 +308,7 @@ static void DetectAppLayerInspectEngineCopy(
             new_engine->alproto = t->alproto;
             new_engine->dir = t->dir;
             new_engine->sm_list = new_list;         /* use new list id */
+            new_engine->sm_list_base = sm_list;
             new_engine->progress = t->progress;
             new_engine->Callback = t->Callback;
             new_engine->v2 = t->v2;
@@ -338,6 +341,7 @@ static void DetectAppLayerInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_c
         new_engine->alproto = t->alproto;
         new_engine->dir = t->dir;
         new_engine->sm_list = t->sm_list;
+        new_engine->sm_list_base = t->sm_list;
         new_engine->progress = t->progress;
         new_engine->Callback = t->Callback;
         new_engine->v2 = t->v2;
@@ -371,6 +375,7 @@ static void DetectPktInspectEngineCopy(
                 exit(EXIT_FAILURE);
             }
             new_engine->sm_list = new_list;         /* use new list id */
+            new_engine->sm_list_base = sm_list;
             new_engine->v1 = t->v1;
             new_engine->v1.transforms = transforms; /* assign transforms */
 
@@ -400,6 +405,7 @@ static void DetectPktInspectEngineCopyListToDetectCtx(DetectEngineCtx *de_ctx)
             exit(EXIT_FAILURE);
         }
         new_engine->sm_list = t->sm_list;
+        new_engine->sm_list_base = t->sm_list;
         new_engine->v1 = t->v1;
 
         if (de_ctx->pkt_inspect_engines == NULL) {
@@ -439,6 +445,7 @@ static void AppendStreamInspectEngine(Signature *s, SigMatchData *stream, int di
     new_engine->dir = direction;
     new_engine->stream = true;
     new_engine->sm_list = DETECT_SM_LIST_PMATCH;
+    new_engine->sm_list_base = DETECT_SM_LIST_PMATCH;
     new_engine->smd = stream;
     new_engine->Callback = DetectEngineInspectStream;
     new_engine->progress = 0;
@@ -508,6 +515,7 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature
             }
 
             new_engine->sm_list = e->sm_list;
+            new_engine->sm_list_base = e->sm_list_base;
             new_engine->smd = ptrs[new_engine->sm_list];
             new_engine->v1 = e->v1;
             SCLogDebug("sm_list %d new_engine->v1 %p/%p/%p",
@@ -571,6 +579,7 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature
         new_engine->alproto = t->alproto;
         new_engine->dir = t->dir;
         new_engine->sm_list = t->sm_list;
+        new_engine->sm_list_base = t->sm_list_base;
         new_engine->smd = ptrs[new_engine->sm_list];
         new_engine->Callback = t->Callback;
         new_engine->progress = t->progress;
@@ -1500,12 +1509,14 @@ bool DetectEnginePktInspectionRun(ThreadVars *tv,
  */
 static int DetectEnginePktInspectionAppend(Signature *s,
         InspectionBufferPktInspectFunc Callback,
-        SigMatchData *data)
+        SigMatchData *data, const int list_id)
 {
     DetectEnginePktInspectionEngine *e = SCCalloc(1, sizeof(*e));
     if (e == NULL)
         return -1;
 
+    e->sm_list = list_id;
+    e->sm_list_base = list_id;
     e->v1.Callback = Callback;
     e->smd = data;
 
@@ -1526,14 +1537,14 @@ int DetectEnginePktInspectionSetup(Signature *s)
     /* only handle PMATCH here if we're not an app inspect rule */
     if (s->sm_arrays[DETECT_SM_LIST_PMATCH] && (s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) == 0) {
         if (DetectEnginePktInspectionAppend(s, DetectEngineInspectRulePayloadMatches,
-                NULL) < 0)
+                NULL, DETECT_SM_LIST_PMATCH) < 0)
             return -1;
         SCLogDebug("sid %u: DetectEngineInspectRulePayloadMatches appended", s->id);
     }
 
     if (s->sm_arrays[DETECT_SM_LIST_MATCH]) {
         if (DetectEnginePktInspectionAppend(s, DetectEngineInspectRulePacketMatches,
-                NULL) < 0)
+                NULL, DETECT_SM_LIST_MATCH) < 0)
             return -1;
         SCLogDebug("sid %u: DetectEngineInspectRulePacketMatches appended", s->id);
     }
index db1daa06154cb3ea101b12ca67b63791b3ace016..fa4a2116c4e66e44cb2281121c7439a6fe394515 100644 (file)
@@ -400,9 +400,10 @@ typedef struct DetectEngineAppInspectionEngine_ {
     AppProto alproto;
     uint8_t dir;
     uint8_t id;     /**< per sig id used in state keeping */
-    uint16_t mpm:1;
-    uint16_t stream:1;
-    uint16_t sm_list:14;
+    bool mpm;
+    bool stream;
+    uint16_t sm_list;
+    uint16_t sm_list_base; /**< base buffer being transformed */
     int16_t progress;
 
     /* \retval 0 No match.  Don't discontinue matching yet.  We need more data.
@@ -457,8 +458,9 @@ typedef InspectionBuffer *(*InspectionBufferGetPktDataPtr)(
 
 typedef struct DetectEnginePktInspectionEngine {
     SigMatchData *smd;
-    uint16_t mpm:1;
-    uint16_t sm_list:15;
+    bool mpm;
+    uint16_t sm_list;
+    uint16_t sm_list_base;
     struct {
         InspectionBufferGetPktDataPtr GetData;
         InspectionBufferPktInspectFunc Callback;
@@ -610,7 +612,8 @@ typedef struct DetectBufferMpmRegistery_ {
     const char *name;
     char pname[32];             /**< name used in profiling */
     int direction;              /**< SIG_FLAG_TOSERVER or SIG_FLAG_TOCLIENT */
-    int sm_list;
+    int16_t sm_list;
+    int16_t sm_list_base;
     int priority;
     int id;                     /**< index into this array and result arrays */
     enum DetectBufferMpmType type;