From: Pranav Bhalerao (prbhaler) <prbhaler@cisco.com>
Date: Fri, 26 Nov 2021 05:03:08 +0000 (+0000)
Subject: Pull request #3181: ips_options: creating LiteralSearch object for vba decompression... 
X-Git-Tag: 3.1.18.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4eeabd8401b18ac759569050838608a9636a4155;p=thirdparty%2Fsnort3.git

Pull request #3181: ips_options: creating LiteralSearch object for vba decompression at the time of snort initialization

Merge in SNORT/snort3 from ~AMARNAYA/snort3:fix_searcher to master

Squashed commit of the following:

commit 20191e9a84c6b1b73d0a589f54c7aab53fb94d91
Author: Amarnath Nayak <amarnaya@cisco.com>
Date:   Tue Nov 23 08:02:30 2021 +0000

    ips_options: creating LiteralSearch object for vba decompression at the time of snort initialization
---

diff --git a/src/decompress/file_olefile.cc b/src/decompress/file_olefile.cc
index 73dc1cd97..48712e95e 100644
--- a/src/decompress/file_olefile.cc
+++ b/src/decompress/file_olefile.cc
@@ -524,9 +524,6 @@ bool OleFile :: parse_ole_header()
 // RLE algorithm.
 int32_t OleFile :: get_file_offset(const uint8_t* data, int32_t data_len)
 {
-    search_handle = snort::LiteralSearch::setup();
-    searcher = snort::LiteralSearch::instantiate(search_handle,
-        (const uint8_t*)"ATTRIBUT", 8, true);
     if (searcher == nullptr)
     {
         VBA_DEBUG(vba_data_trace, DEFAULT_TRACE_OPTION_ID, TRACE_ERROR_LEVEL, CURRENT_PACKET,
@@ -535,8 +532,6 @@ int32_t OleFile :: get_file_offset(const uint8_t* data, int32_t data_len)
     }
 
     int32_t offset = searcher->search(search_handle, data, data_len);
-    delete searcher;
-    snort::LiteralSearch::cleanup(search_handle);
     return offset;
 }
 
diff --git a/src/decompress/file_olefile.h b/src/decompress/file_olefile.h
index e42c76ffc..cd020f0eb 100644
--- a/src/decompress/file_olefile.h
+++ b/src/decompress/file_olefile.h
@@ -254,10 +254,8 @@ public:
 
     OleFile(const uint8_t* file_buf, const uint32_t buf_len)
     {
-        //header = new OleHeader;
         this->file_buf = file_buf;
         this->buf_len = buf_len;
-        //dir_list = new DirectoryList();
     }
 
     ~OleFile()
@@ -268,9 +266,6 @@ public:
         delete[] mini_fat_list;
     }
 
-    snort::LiteralSearch* searcher = nullptr;
-    snort::LiteralSearch::Handle* search_handle = nullptr;
-
 private:
     const uint8_t* file_buf;
     uint32_t buf_len;
diff --git a/src/decompress/test/file_olefile_test.cc b/src/decompress/test/file_olefile_test.cc
index 0a23ab0a7..a20965e98 100644
--- a/src/decompress/test/file_olefile_test.cc
+++ b/src/decompress/test/file_olefile_test.cc
@@ -35,6 +35,9 @@
 
 THREAD_LOCAL const snort::Trace* vba_data_trace = nullptr;
 
+snort::LiteralSearch::Handle* search_handle = nullptr;
+const snort::LiteralSearch* searcher = nullptr ;
+
 namespace snort
 {
 LiteralSearch::Handle* LiteralSearch::setup() { return nullptr; }
diff --git a/src/ips_options/ips_vba_data.cc b/src/ips_options/ips_vba_data.cc
index b5c784fd7..0a3c6f7ff 100644
--- a/src/ips_options/ips_vba_data.cc
+++ b/src/ips_options/ips_vba_data.cc
@@ -29,6 +29,9 @@ using namespace snort;
 
 THREAD_LOCAL const Trace* vba_data_trace = nullptr;
 
+LiteralSearch::Handle* search_handle = nullptr;
+const LiteralSearch* searcher = nullptr;
+
 CursorActionType VbaDataOption::get_cursor_type() const
 { return CAT_SET_VBA; }
 
@@ -44,6 +47,32 @@ IpsOption::EvalStatus VbaDataOption::eval(Cursor& c, Packet* p)
     return MATCH;
 }
 
+bool VbaDataModule::end(const char*, int, SnortConfig*)
+{
+    if (!search_handle)
+        search_handle = LiteralSearch::setup();
+    
+    if (!searcher)
+        searcher = snort::LiteralSearch::instantiate(search_handle,
+            (const uint8_t*)"ATTRIBUT", 8, true);
+
+    return true;
+}
+
+VbaDataModule::~VbaDataModule()
+{
+    if (searcher)
+    {
+        delete searcher;
+        searcher = nullptr;
+    }
+
+    if (search_handle)
+    {
+        LiteralSearch::cleanup(search_handle);
+        search_handle = nullptr;
+    }
+}
 
 ProfileStats* VbaDataModule::get_profile() const
 { return &vbaDataPerfStats; }
diff --git a/src/ips_options/ips_vba_data.h b/src/ips_options/ips_vba_data.h
index d75acaaec..67b8d30a4 100644
--- a/src/ips_options/ips_vba_data.h
+++ b/src/ips_options/ips_vba_data.h
@@ -21,6 +21,7 @@
 #include "framework/cursor.h"
 #include "framework/ips_option.h"
 #include "framework/module.h"
+#include "helpers/literal_search.h"
 #include "profiler/profiler.h"
 #include "trace/trace.h"
 
@@ -32,6 +33,9 @@ static THREAD_LOCAL snort::ProfileStats vbaDataPerfStats;
 
 extern THREAD_LOCAL const snort::Trace* vba_data_trace;
 
+extern snort::LiteralSearch::Handle* search_handle ;
+extern const snort::LiteralSearch* searcher ;
+
 class VbaDataOption : public snort::IpsOption
 {
 public:
@@ -46,6 +50,9 @@ class VbaDataModule : public snort::Module
 {
 public:
     VbaDataModule() : Module(s_name, s_help) { }
+    ~VbaDataModule() override;
+
+    bool end(const char*, int, snort::SnortConfig*) override;
 
     snort::ProfileStats* get_profile() const override;