detect: Improve handling of variable values

When one of offset/depth/distance is from a variable, adjust the depth
by the offset as is done with scalar values at parse time.

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 4756b4dc51f5ed125e5f9bd077633a1f19d4126b..7daa59e98d519de9e61be2f2f7a5a18c2de84a4c 100644 (file)
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -247,6 +247,13 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
                 prev_buffer_offset = 0;
             }
 
+            /* If the value came from a variable, make sure to adjust the depth so it's relative
+             * to the offset value.
+             */
+            if (cd->flags & (DETECT_CONTENT_DISTANCE_BE|DETECT_CONTENT_OFFSET_BE|DETECT_CONTENT_DEPTH_BE)) {
+                 depth += offset;
+            }
+
             /* update offset with prev_offset if we're searching for
              * matches after the first occurence. */
             SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, offset, prev_offset);