From: Victor Julien <victor@inliniac.net>
Date: Mon, 30 Nov 2020 06:44:54 +0000 (+0100)
Subject: detect: fix inspection order with stateful rules
X-Git-Tag: suricata-6.0.1~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F5610%2Fhead;p=thirdparty%2Fsuricata.git

detect: fix inspection order with stateful rules

When stateful detection rules, for which detection has already started
for a previous packet, are added to the candidates array, the array
is sorted to mantain the correct inspection order. However, due to a
trivial error in the sort helper the array was sorted in descending
instead of ascending order.
---

diff --git a/src/detect.c b/src/detect.c
index 8a71fc8f1d..92a32f2ff2 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1009,8 +1009,13 @@ static int RuleMatchCandidateTxArrayExpand(DetectEngineThreadCtx *det_ctx, const
     return 1;
 }
 
-
-/* TODO maybe let one with flags win if equal? */
+/** \internal
+ *  \brief sort helper for sorting match candidates by id: ascending
+ *
+ *  The id field is set from Signature::num, so we sort the candidates to match the signature
+ *  sort order (ascending).
+ *
+ *  \todo maybe let one with flags win if equal? */
 static int
 DetectRunTxSortHelper(const void *a, const void *b)
 {
@@ -1019,7 +1024,7 @@ DetectRunTxSortHelper(const void *a, const void *b)
     if (s1->id == s0->id)
         return 0;
     else
-        return s0->id > s1->id ? -1 : 1;
+        return s0->id > s1->id ? 1 : -1;
 }
 
 #if 0