From 32fb7d773afd29e1373457484049157dd1d3db16 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 3 May 2019 10:00:09 +0200 Subject: [PATCH] detect/content-inspect: turn void arg into Packet Replace the 'void *data' argument by a 'Packet *p' as this was the only user left of the data pointer. --- src/detect-base64-data.c | 4 ++-- src/detect-dce-stub-data.c | 11 ++++----- src/detect-dnp3.c | 8 +++---- src/detect-dns-query.c | 4 ++-- src/detect-engine-content-inspection.c | 24 ++++++++------------ src/detect-engine-content-inspection.h | 4 ++-- src/detect-engine-payload.c | 19 ++++++++-------- src/detect-engine.c | 4 ++-- src/detect-file-data.c | 4 ++-- src/detect-filemagic.c | 4 ++-- src/detect-filename.c | 4 ++-- src/detect-http-header-names.c | 4 ++-- src/detect-http-header.c | 8 +++---- src/detect-http-start.c | 4 ++-- src/detect-krb5-cname.c | 4 ++-- src/detect-krb5-sname.c | 4 ++-- src/detect-template-rust-buffer.c | 4 ++-- src/tests/detect-engine-content-inspection.c | 4 ++-- 18 files changed, 57 insertions(+), 65 deletions(-) diff --git a/src/detect-base64-data.c b/src/detect-base64-data.c index 92cce96cbd..00782153c8 100644 --- a/src/detect-base64-data.c +++ b/src/detect-base64-data.c @@ -63,9 +63,9 @@ int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx, { if (det_ctx->base64_decoded_len) { return DetectEngineContentInspection(de_ctx, det_ctx, s, - s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], f, det_ctx->base64_decoded, + s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded, det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); } return 0; diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index d4656bbfbb..b5104f6b41 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -182,7 +182,6 @@ static int InspectEngineDceStubData(ThreadVars *tv, { uint32_t buffer_len = 0; uint8_t *buffer = NULL; - DCERPCState *dcerpc_state = NULL; uint8_t ci_flags = DETECT_CI_FLAGS_SINGLE; if (f->alproto == ALPROTO_SMB) { @@ -190,9 +189,8 @@ static int InspectEngineDceStubData(ThreadVars *tv, if (rs_smb_tx_get_stub_data(tx, dir, &buffer, &buffer_len) != 1) goto end; SCLogDebug("have data!"); - } else - { - dcerpc_state = alstate; + } else { + DCERPCState *dcerpc_state = alstate; if (dcerpc_state == NULL) goto end; @@ -216,11 +214,10 @@ static int InspectEngineDceStubData(ThreadVars *tv, det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, + NULL, f, buffer, buffer_len, 0, ci_flags, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, - dcerpc_state); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index 85f8e918c9..b035673507 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -153,15 +153,15 @@ static int DetectEngineInspectDNP3Data(ThreadVars *tv, DetectEngineCtx *de_ctx, /* Content match - should probably be put into its own file. */ if (flags & STREAM_TOSERVER && tx->request_buffer != NULL) { r = DetectEngineContentInspection(de_ctx, det_ctx, s, - smd, f, tx->request_buffer, + smd, NULL, f, tx->request_buffer, tx->request_buffer_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); } else if (flags & STREAM_TOCLIENT && tx->response_buffer != NULL) { r = DetectEngineContentInspection(de_ctx, det_ctx, s, - smd, f, tx->response_buffer, + smd, NULL, f, tx->response_buffer, tx->response_buffer_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); } SCReturnInt(r); diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index 01339d8f1e..4fdd727813 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -121,11 +121,11 @@ static int DetectEngineInspectDnsQuery( det_ctx->inspection_recursion_counter = 0; const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, + NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (match == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index 582f416b95..473e8a2f55 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -82,6 +82,7 @@ * \param det_ctx Detection engine thread context * \param s Signature to inspect * \param sm SigMatch to inspect + * \param p Packet. Can be NULL. * \param f Flow (for pcre flowvar storage) * \param buffer Ptr to the buffer to inspect * \param buffer_len Length of the payload @@ -92,19 +93,17 @@ * \param inspection_mode Refers to the engine inspection mode we are currently * inspecting. Can be payload, stream, one of the http * buffer inspection modes or dce inspection mode. - * \param data Used to send some custom data. For example in - * payload inspection mode, data contains packet ptr, - * and under dce inspection mode, contains dce state. + * \param flags DETECT_CI_FLAG_* * * \retval 0 no match * \retval 1 match */ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, - Flow *f, + Packet *p, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, - uint8_t inspection_mode, void *data) + uint8_t inspection_mode) { SCEnter(); KEYWORD_PROFILING_START; @@ -333,8 +332,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx * search for another occurence of this content and see * if the others match then until we run out of matches */ int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1, - f, buffer, buffer_len, stream_start_offset, flags, - inspection_mode, data); + p, f, buffer, buffer_len, stream_start_offset, flags, + inspection_mode); if (r == 1) { SCReturnInt(1); } @@ -415,9 +414,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx det_ctx->pcre_match_start_offset = 0; do { - Packet *p = NULL; - if (inspection_mode == DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD) - p = (Packet *)data; r = DetectPcrePayloadMatch(det_ctx, s, smd, p, f, buffer, buffer_len); if (r == 0) { @@ -437,8 +433,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx * search for another occurence of this pcre and see * if the others match, until we run out of matches */ r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1, - f, buffer, buffer_len, stream_start_offset, flags, - inspection_mode, data); + p, f, buffer, buffer_len, stream_start_offset, flags, + inspection_mode); if (r == 1) { SCReturnInt(1); } @@ -618,8 +614,8 @@ match: if (!smd->is_last) { KEYWORD_PROFILING_END(det_ctx, smd->type, 1); int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1, - f, buffer, buffer_len, stream_start_offset, flags, - inspection_mode, data); + p, f, buffer, buffer_len, stream_start_offset, flags, + inspection_mode); SCReturnInt(r); } final_match: diff --git a/src/detect-engine-content-inspection.h b/src/detect-engine-content-inspection.h index 7b567fb08e..bc0229cf30 100644 --- a/src/detect-engine-content-inspection.h +++ b/src/detect-engine-content-inspection.h @@ -46,10 +46,10 @@ enum { int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, - Flow *f, + Packet *p, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, - uint8_t inspection_mode, void *data); + uint8_t inspection_mode); void DetectEngineContentInspectionRegisterTests(void); diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index fbdf3da5b3..add1ba6a3d 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -165,9 +165,10 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, det_ctx->inspection_recursion_counter = 0; det_ctx->replist = NULL; - r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_PMATCH], - f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p); + r = DetectEngineContentInspection(de_ctx, det_ctx, + s, s->sm_arrays[DETECT_SM_LIST_PMATCH], + p, f, p->payload, p->payload_len, 0, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD); if (r == 1) { SCReturnInt(1); } @@ -208,8 +209,8 @@ static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx, det_ctx->replist = NULL; r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p); + p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD); if (r == 1) { SCReturnInt(1); } @@ -238,8 +239,8 @@ static int StreamContentInspectFunc(void *cb_data, const uint8_t *data, const ui r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH], - smd->f, (uint8_t *)data, data_len, 0, 0, //TODO - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, NULL); + NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM); if (r == 1) { SCReturnInt(1); } @@ -296,8 +297,8 @@ static int StreamContentInspectEngineFunc(void *cb_data, const uint8_t *data, co r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s, smd->smd, - smd->f, (uint8_t *)data, data_len, 0, 0, // TODO - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, NULL); + NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM); if (r == 1) { SCReturnInt(1); } diff --git a/src/detect-engine.c b/src/detect-engine.c index 7d83842d84..416a2fc68e 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -1281,9 +1281,9 @@ int DetectEngineInspectBufferGeneric( * transaction at the app layer */ int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, + NULL, f, (uint8_t *)data, data_len, offset, ci_flags, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (r == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { diff --git a/src/detect-file-data.c b/src/detect-file-data.c index 9237120cb9..a4f9ed617d 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -444,11 +444,11 @@ static int DetectEngineInspectFiledata( det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, + NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, ciflags, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (match == 1) { r = 1; break; diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index 9aefb60b28..bd9b34993e 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -556,11 +556,11 @@ static int DetectEngineInspectFilemagic( det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, + NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (match == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { diff --git a/src/detect-filename.c b/src/detect-filename.c index 3538e92068..e57f051a9c 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -402,11 +402,11 @@ static int DetectEngineInspectFilename( det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, + NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (match == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 5d065e1bac..67bc1bb361 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -344,9 +344,9 @@ static int InspectEngineHttpHeaderNames( det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, (uint8_t *)data, data_len, offset, + NULL, f, (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 9a00f64ccb..b2aa0efd22 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -190,11 +190,9 @@ static int DetectEngineInspectBufferHttpHeader( /* Inspect all the uricontents fetched on each * transaction at the app layer */ - int r = DetectEngineContentInspection(de_ctx, det_ctx, - s, engine->smd, - f, - (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, + NULL, f, (uint8_t *)data, data_len, offset, + DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); SCLogDebug("r = %d", r); if (r == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-start.c b/src/detect-http-start.c index 25d499003a..c7776bd149 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -341,9 +341,9 @@ static int InspectEngineHttpStart( det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, (uint8_t *)data, data_len, offset, + NULL, f, (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-krb5-cname.c b/src/detect-krb5-cname.c index a37441f052..0a562e467c 100644 --- a/src/detect-krb5-cname.c +++ b/src/detect-krb5-cname.c @@ -109,11 +109,11 @@ static int DetectEngineInspectKrb5CName( det_ctx->inspection_recursion_counter = 0; const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, + NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (match == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } diff --git a/src/detect-krb5-sname.c b/src/detect-krb5-sname.c index 5a919bfb2a..d5f0bf5677 100644 --- a/src/detect-krb5-sname.c +++ b/src/detect-krb5-sname.c @@ -109,11 +109,11 @@ static int DetectEngineInspectKrb5SName( det_ctx->inspection_recursion_counter = 0; const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, - f, + NULL, f, (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); if (match == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } diff --git a/src/detect-template-rust-buffer.c b/src/detect-template-rust-buffer.c index 7d876a3a3c..4a813af521 100644 --- a/src/detect-template-rust-buffer.c +++ b/src/detect-template-rust-buffer.c @@ -117,8 +117,8 @@ static int DetectEngineInspectTemplateRustBuffer(ThreadVars *tv, if (data != NULL) { ret = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE, - DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); + NULL, f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); } SCLogNotice("Returning %d.", ret); diff --git a/src/tests/detect-engine-content-inspection.c b/src/tests/detect-engine-content-inspection.c index 1f9e87ad7b..69389e0afb 100644 --- a/src/tests/detect-engine-content-inspection.c +++ b/src/tests/detect-engine-content-inspection.c @@ -47,9 +47,9 @@ DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); \ FAIL_IF_NULL(det_ctx); \ int r = DetectEngineContentInspection(de_ctx, det_ctx, \ - s, s->sm_arrays[DETECT_SM_LIST_PMATCH], &f, \ + s, s->sm_arrays[DETECT_SM_LIST_PMATCH], NULL, &f, \ (uint8_t *)(buf), (buflen), 0, DETECT_CI_FLAGS_SINGLE, \ - DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, NULL); \ + DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD); \ FAIL_IF_NOT(r == (match)); \ FAIL_IF_NOT(det_ctx->inspection_recursion_counter == (steps)); \ DetectEngineThreadCtxDeinit(&tv, det_ctx); \ -- 2.47.2