From: Victor Julien <vjulien@oisf.net>
Date: Fri, 3 Dec 2021 07:15:15 +0000 (+0100)
Subject: detect/frames: limit mixing frames and other detection
X-Git-Tag: suricata-7.0.0-beta1~1037
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02f98796a76cc7750ca9c30829cc26b90ac256b2;p=thirdparty%2Fsuricata.git

detect/frames: limit mixing frames and other detection

Don't allow mixing of payload/stream/tx and frame keywords. Initial
support is only for 'pure' frame inspection.
---

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 57e6630ec2..ba13dd6468 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1778,6 +1778,37 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
         SCReturnInt(0);
     }
 
+    bool has_pmatch = false;
+    bool has_frame = false;
+    bool has_app = false;
+    bool has_pkt = false;
+
+    for (int i = 0; i < nlists; i++) {
+        if (s->init_data->smlists[i] == NULL)
+            continue;
+        has_pmatch |= (i == DETECT_SM_LIST_PMATCH);
+
+        const DetectBufferType *b = DetectEngineBufferTypeGetById(de_ctx, i);
+        if (b == NULL)
+            continue;
+
+        has_frame |= b->frame;
+        has_app |= (b->frame == false && b->packet == false);
+        has_pkt |= b->packet;
+    }
+    if (has_pmatch && has_frame) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't mix pure content and frame inspection");
+        SCReturnInt(0);
+    }
+    if (has_app && has_frame) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't app-layer buffer and frame inspection");
+        SCReturnInt(0);
+    }
+    if (has_pkt && has_frame) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't pkt buffer and frame inspection");
+        SCReturnInt(0);
+    }
+
     if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
         for (int i = 0; i < nlists; i++) {
             if (s->init_data->smlists[i] == NULL)