From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 23 Nov 2019 19:35:40 +0000 (-0500)
Subject: detect: Improve handling of variable values
X-Git-Tag: suricata-5.0.1~80
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f318a46d34b29bd5b0a5c9cafdbe3376f1cd4d7d;p=thirdparty%2Fsuricata.git

detect: Improve handling of variable values

When one of offset/depth/distance is from a variable, adjust the depth
by the offset as is done with scalar values at parse time.
---

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 4756b4dc51..7daa59e98d 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -247,6 +247,13 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
                 prev_buffer_offset = 0;
             }
 
+            /* If the value came from a variable, make sure to adjust the depth so it's relative
+             * to the offset value.
+             */
+            if (cd->flags & (DETECT_CONTENT_DISTANCE_BE|DETECT_CONTENT_OFFSET_BE|DETECT_CONTENT_DEPTH_BE)) {
+                 depth += offset;
+            }
+
             /* update offset with prev_offset if we're searching for
              * matches after the first occurence. */
             SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, offset, prev_offset);