From: Shivani Bhardwaj <shivani@oisf.net>
Date: Thu, 21 Mar 2024 08:45:39 +0000 (+0530)
Subject: detect/port: fix grouping of ports w gaps
X-Git-Tag: suricata-8.0.0-beta1~1600
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F10697%2Fhead;p=thirdparty%2Fsuricata.git

detect/port: fix grouping of ports w gaps

If a single port happens before a range port, the port groups created
were incorrect. Fix it to use smarter range check.

For example, given,
80:80 - SGH1
100:120 - SGH2

Range created should be
80:80 - SGH1
100:120 - SGH2

Bug 6881
---

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index acbc9fc82d..715c537b37 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1425,7 +1425,13 @@ static inline int CreatePortList(DetectEngineCtx *de_ctx, const uint8_t *unique_
                 port = port2 + 1;
             } else if (p1 && p1->single) {
                 SCPortIntervalFindOverlappingRanges(de_ctx, port, port, &it->tree, list);
-                port = port + 1;
+                if ((port2 > port + 1)) {
+                    SCPortIntervalFindOverlappingRanges(
+                            de_ctx, port + 1, port2 - 1, &it->tree, list);
+                    port = port2;
+                } else {
+                    port = port + 1;
+                }
             } else if (p2->single) {
                 /* If port2 is boundary and less or equal to port + 1, create a range
                  * keeping the boundary away as it is single port */