fix for bug #970.

Content strings that are a duplicate of a pattern from another sig, but
have a fast_pattern chop being applied, would end up being assigned the
same pattern id as the duplicate string.  But the string supplied to the
mpm would be the chopped string, which might result in the state_table
output_state content entry being over-riden by the the fuller string at
the final state of the smaller content length, because of which during a
match we might end up inspecting the search buffer against the fuller
content pattern, instead of the chopped pattern, which would end up being
an inspection beyond the buffer bounds.

diff --git a/src/util-mpm-ac.c b/src/util-mpm-ac.c
index 5059365a9549f994a871f26eaebfb597e8600eb6..463374cba274d88c664b1e10d260ba418c56fcca 100644 (file)
--- a/src/util-mpm-ac.c
+++ b/src/util-mpm-ac.c
@@ -1271,6 +1271,8 @@ uint32_t SCACSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx,
                 uint32_t k;
                 for (k = 0; k < no_of_entries; k++) {
                     if (pids[k] & 0xFFFF0000) {
+                        if ((i + 1) < pid_pat_list[pids[k] & 0x0000FFFF].patlen)
+                            continue;
                         if (SCMemcmp(pid_pat_list[pids[k] & 0x0000FFFF].cs,
                                      buf + i - pid_pat_list[pids[k] & 0x0000FFFF].patlen + 1,
                                      pid_pat_list[pids[k] & 0x0000FFFF].patlen) != 0) {
@@ -1312,6 +1314,8 @@ uint32_t SCACSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx,
                 uint32_t k;
                 for (k = 0; k < no_of_entries; k++) {
                     if (pids[k] & 0xFFFF0000) {
+                        if ((i + 1) < pid_pat_list[pids[k] & 0x0000FFFF].patlen)
+                            continue;
                         if (SCMemcmp(pid_pat_list[pids[k] & 0x0000FFFF].cs,
                                      buf + i - pid_pat_list[pids[k] & 0x0000FFFF].patlen + 1,
                                      pid_pat_list[pids[k] & 0x0000FFFF].patlen) != 0) {