From db8527e7b39162799c2997cfc2683d4a0473274e Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 23 Nov 2019 14:33:38 -0500
Subject: [PATCH] detect/mpm: Improved handling of variable values

This commit removes the offset and depth if either of these values are
dependent upon a byte-extract operation.
---
 src/detect-engine-mpm.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c
index ed9abae24d..b8bf2572c5 100644
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@@ -736,6 +736,13 @@ static void PopulateMpmHelperAddPattern(MpmCtx *mpm_ctx,
         }
     }
 
+    /* We have to effectively "wild card" values that will be coming from
+     * byte_extract variables
+     */
+    if (cd->flags & (DETECT_CONTENT_DEPTH_BE | DETECT_CONTENT_OFFSET_BE)) {
+        pat_depth = pat_offset = 0;
+    }
+
     if (cd->flags & DETECT_CONTENT_NOCASE) {
         if (chop) {
             MpmAddPatternCI(mpm_ctx,
-- 
2.47.2