From: Victor Julien Date: Fri, 8 Dec 2023 08:38:38 +0000 (+0100) Subject: detect/bytejump: don't reuse content flag X-Git-Tag: suricata-8.0.0-beta1~1916 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=101452056d559b4e5eab27c2d9fb651d2e32c412;p=thirdparty%2Fsuricata.git detect/bytejump: don't reuse content flag To avoid future problems with overlapping flag values, give bytejump its own DETECT_BYTEJUMP_OFFSET_VAR flag. The values are currently not overlapping, so this patch should have no side effects. --- diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index cf9b24348e..09289da6d2 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -3513,8 +3513,7 @@ static int DetectByteExtractTest53(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || - bjd->offset != 0) { + if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; goto end; @@ -3618,8 +3617,7 @@ static int DetectByteExtractTest54(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || - bjd->offset != 0) { + if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; goto end; @@ -3631,8 +3629,7 @@ static int DetectByteExtractTest54(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || - bjd->offset != 1) { + if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) { printf("four failed\n"); result = 0; goto end; @@ -4165,8 +4162,7 @@ static int DetectByteExtractTest58(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || - bjd->offset != 0) { + if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; goto end; @@ -4178,8 +4174,7 @@ static int DetectByteExtractTest58(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || - bjd->offset != 1) { + if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) { printf("four failed\n"); result = 0; goto end; @@ -4298,8 +4293,7 @@ static int DetectByteExtractTest59(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || - bjd->offset != 0) { + if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) { printf("three failed\n"); result = 0; goto end; @@ -4311,8 +4305,7 @@ static int DetectByteExtractTest59(void) goto end; } bjd = (DetectBytejumpData *)sm->ctx; - if (bjd->flags != DETECT_CONTENT_OFFSET_VAR || - bjd->offset != 1) { + if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) { printf("four failed\n"); result = 0; goto end; diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index 3e7ae4f5e0..e04d8a7a94 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -563,7 +563,7 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char goto error; } data->offset = index; - data->flags |= DETECT_CONTENT_OFFSET_VAR; + data->flags |= DETECT_BYTEJUMP_OFFSET_VAR; SCFree(offset); offset = NULL; } diff --git a/src/detect-bytejump.h b/src/detect-bytejump.h index f8ee530b38..15f6103443 100644 --- a/src/detect-bytejump.h +++ b/src/detect-bytejump.h @@ -41,6 +41,7 @@ #define DETECT_BYTEJUMP_OFFSET_BE BIT_U16(7) /**< "byte extract" enabled */ #define DETECT_BYTEJUMP_END BIT_U16(8) /**< "from_end" jump */ #define DETECT_BYTEJUMP_NBYTES_VAR BIT_U16(9) /**< nbytes string*/ +#define DETECT_BYTEJUMP_OFFSET_VAR BIT_U16(10) /**< byte extract value enabled */ typedef struct DetectBytejumpData_ { uint8_t nbytes; /**< Number of bytes to compare */ diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 5d6ad2be56..81f2e30f31 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -515,7 +515,7 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx, int32_t offset = bjd->offset; int32_t nbytes; - if (bjflags & DETECT_CONTENT_OFFSET_VAR) { + if (bjflags & DETECT_BYTEJUMP_OFFSET_VAR) { offset = det_ctx->byte_values[offset]; }