From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Date: Fri, 28 Oct 2022 08:02:25 +0000 (+0000)
Subject: Pull request #3630: detection: ignore back up of vars on node with 1 child
X-Git-Tag: 3.1.47.0~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd89ac4feaf6dd407e1686199795a63430503fe3;p=thirdparty%2Fsnort3.git

Pull request #3630: detection: ignore back up of vars on node with 1 child

Merge in SNORT/snort3 from ~YVELYKOZ/snort3:sse_ips_w_constr to master

Squashed commit of the following:

commit 1ea313ec8cc86bc2461e2132b09f4a863e112f40
Author: Yehor Velykozhon <yvelykoz@cisco.com>
Date:   Tue Oct 25 14:56:18 2022 +0300

    detection: skip a rule variable copy for a single-branched node
---

diff --git a/src/detection/detection_options.cc b/src/detection/detection_options.cc
index acc5bed6f..811bcb1a6 100644
--- a/src/detection/detection_options.cc
+++ b/src/detection/detection_options.cc
@@ -559,20 +559,17 @@ int detection_option_node_evaluate(
             debug_log(detection_trace, TRACE_RULE_EVAL, p, "flowbit no alert\n");
         }
 
-        // Back up byte_extract vars so they don't get overwritten between rules
-        for ( unsigned i = 0; i < NUM_IPS_OPTIONS_VARS; ++i )
-        {
-            GetVarValueByIndex(&(tmp_byte_extract_vars[i]), (int8_t)i);
-        }
 #ifdef DEBUG_MSGS
         if ( trace_enabled(detection_trace, TRACE_RULE_VARS) )
         {
             char var_buf[100];
             std::string rule_vars;
             rule_vars.reserve(sizeof(var_buf));
+            uint32_t dbg_extract_vars[]{0,0};
             for ( unsigned i = 0; i < NUM_IPS_OPTIONS_VARS; ++i )
             {
-                safe_snprintf(var_buf, sizeof(var_buf), "var[%u]=0x%X ", i, tmp_byte_extract_vars[i]);
+                GetVarValueByIndex(&(dbg_extract_vars[i]), (int8_t)i);
+                safe_snprintf(var_buf, sizeof(var_buf), "var[%u]=0x%X ", i, dbg_extract_vars[i]);
                 rule_vars.append(var_buf);
             }
             debug_logf(detection_trace, TRACE_RULE_VARS, p, "Rule options variables: %s\n",
@@ -591,12 +588,17 @@ int detection_option_node_evaluate(
             // Passed, check the children.
             if ( node->num_children )
             {
+                // Back up byte_extract vars so they don't get overwritten between rules
+                // If node has only 1 child - no need to back up on current step
+                for ( unsigned i = 0; node->num_children > 1 && i < NUM_IPS_OPTIONS_VARS; ++i )
+                    GetVarValueByIndex(&(tmp_byte_extract_vars[i]), (int8_t)i);
+
                 for ( int i = 0; i < node->num_children; ++i )
                 {
                     detection_option_tree_node_t* child_node = node->children[i];
                     dot_node_state_t* child_state = child_node->state + get_instance_id();
 
-                    for ( unsigned j = 0; j < NUM_IPS_OPTIONS_VARS; ++j )
+                    for ( unsigned j = 0; node->num_children > 1 && j < NUM_IPS_OPTIONS_VARS; ++j )
                         SetVarValueByIndex(tmp_byte_extract_vars[j], (int8_t)j);
 
                     if ( loop_count > 0 )