From: Victor Julien <victor@inliniac.net>
Date: Tue, 31 Mar 2020 08:38:06 +0000 (+0200)
Subject: detect/pkt_data: error on unconsumed transforms
X-Git-Tag: suricata-5.0.3~74
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45bb7691a37d1be6351b4f712fdb349bf6dd513b;p=thirdparty%2Fsuricata.git

detect/pkt_data: error on unconsumed transforms

If a rule has transforms w/o consuming them (e.g. a content keyword),
don't consider 'pkt_data' valid.

(cherry picked from commit 13c9d0ca7e3a41a8023dc80def36e24686288742)
---

diff --git a/src/detect-pkt-data.c b/src/detect-pkt-data.c
index 7443dfa053..88e216fa3b 100644
--- a/src/detect-pkt-data.c
+++ b/src/detect-pkt-data.c
@@ -73,6 +73,11 @@ void DetectPktDataRegister(void)
 static int DetectPktDataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
     SCEnter();
+    if (s->init_data->transform_cnt) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE,
+                "previous transforms not consumed before 'pkt_data'");
+        SCReturnInt(-1);
+    }
     s->init_data->list = DETECT_SM_LIST_NOTSET;
 
     return 0;
@@ -140,6 +145,20 @@ end:
 
     return result;
 }
+
+static int DetectPktDataTest02(void)
+{
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    FAIL_IF_NULL(de_ctx);
+    de_ctx->flags |= DE_QUIET;
+
+    Signature *sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
+                               "(file_data; compress_whitespace; "
+                               " pkt_data; content:\"in pkt data\"; sid:1;)");
+    FAIL_IF_NOT_NULL(sig);
+    DetectEngineCtxFree(de_ctx);
+    PASS;
+}
 #endif
 
 static void DetectPktDataTestRegister(void)
@@ -148,6 +167,7 @@ static void DetectPktDataTestRegister(void)
     g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
 
     UtRegisterTest("DetectPktDataTest01", DetectPktDataTest01);
+    UtRegisterTest("DetectPktDataTest02", DetectPktDataTest02);
 #endif
 }