From: Victor Julien <victor@inliniac.net>
Date: Mon, 30 Nov 2020 06:44:54 +0000 (+0100)
Subject: detect: fix inspection order with stateful rules
X-Git-Tag: suricata-5.0.5~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7ffd5e901f17c04e66680222131b2c06a0f812f;p=thirdparty%2Fsuricata.git

detect: fix inspection order with stateful rules

When stateful detection rules, for which detection has already started
for a previous packet, are added to the candidates array, the array
is sorted to mantain the correct inspection order. However, due to a
trivial error in the sort helper the array was sorted in descending
instead of ascending order.

(cherry picked from commit 46644440671c3bfeb9c1423aa1684191ff6db961)
---

diff --git a/src/detect.c b/src/detect.c
index b0cbb921dc..e9b7ff7adf 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1011,8 +1011,13 @@ static int RuleMatchCandidateTxArrayExpand(DetectEngineThreadCtx *det_ctx, const
     return 1;
 }
 
-
-/* TODO maybe let one with flags win if equal? */
+/** \internal
+ *  \brief sort helper for sorting match candidates by id: ascending
+ *
+ *  The id field is set from Signature::num, so we sort the candidates to match the signature
+ *  sort order (ascending).
+ *
+ *  \todo maybe let one with flags win if equal? */
 static int
 DetectRunTxSortHelper(const void *a, const void *b)
 {
@@ -1021,7 +1026,7 @@ DetectRunTxSortHelper(const void *a, const void *b)
     if (s1->id == s0->id)
         return 0;
     else
-        return s0->id > s1->id ? -1 : 1;
+        return s0->id > s1->id ? 1 : -1;
 }
 
 #if 0