From: Victor Julien <vjulien@oisf.net>
Date: Fri, 12 Jan 2024 07:03:06 +0000 (+0530)
Subject: detect/engine: fix whitelisting check
X-Git-Tag: suricata-7.0.6~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40d3e1e0cc0f4be26779f751de18ed83d625ae31;p=thirdparty%2Fsuricata.git

detect/engine: fix whitelisting check

In the commit 4a00ae607, the whitelisting check was updated in a quest
to make use of the conditional better but it made things worse as every
range would be whitelisted as long as it had any of the default
whitelisted port which is very common.

(cherry picked from commit fb9680bb7b17f6744c9f6f26abf4c902c83de8f3)
---

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 8b76212719..710d45c987 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1101,8 +1101,9 @@ static int PortIsWhitelisted(const DetectEngineCtx *de_ctx,
         w = de_ctx->udp_whitelist;
 
     while (w) {
-        if (a->port >= w->port && a->port2 <= w->port) {
-            SCLogDebug("port group %u:%u whitelisted -> %d", a->port, a->port2, w->port);
+        /* Make sure the whitelist port falls in the port range of a */
+        DEBUG_VALIDATE_BUG_ON(a->port > a->port2);
+        if (a->port == w->port && w->port2 == a->port2) {
             return 1;
         }
         w = w->next;