detect: Ensure byte* variable usages is for same buffers

Issue: 7549

Use the active buffer list to fetch SM variables to ensure that they are
part of the same list so a variable created with bytemath or byteextract
will have context when used with bytejump, e.g

Not needed for content modifiers.

diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c
index 82f79f2556b5d3c23e3018359badc9b7d9ec7415..701feff4cbdacd51042921e7a7b73bd7173a7e2d 100644 (file)
--- a/src/detect-byte-extract.c
+++ b/src/detect-byte-extract.c
@@ -372,7 +372,7 @@ static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
  *
  * \retval A pointer to the SigMatch if found, otherwise NULL.
  */
-SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
+SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
 {
     for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
         SigMatch *sm = s->init_data->buffers[x].head;
@@ -390,7 +390,8 @@ SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
     for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
         SigMatch *sm = s->init_data->smlists[list];
         while (sm != NULL) {
-            if (sm->type == DETECT_BYTE_EXTRACT) {
+            // Make sure that the linked buffers ore on the same list
+            if (sm->type == DETECT_BYTE_EXTRACT && (sm_list == -1 || sm_list == list)) {
                 const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
                 if (strcmp(bed->name, arg) == 0) {
                     return sm;

diff --git a/src/detect-byte-extract.h b/src/detect-byte-extract.h
index 7899d5eb9ce42f5e6ea2b093d07fcfbc61528725..2214e81bbb8758710e8ba9c1d73c92d131ac0927 100644 (file)
--- a/src/detect-byte-extract.h
+++ b/src/detect-byte-extract.h
@@ -26,7 +26,7 @@
 
 void DetectByteExtractRegister(void);
 
-SigMatch *DetectByteExtractRetrieveSMVar(const char *, const Signature *);
+SigMatch *DetectByteExtractRetrieveSMVar(const char *, int sm_list, const Signature *);
 int DetectByteExtractDoMatch(DetectEngineThreadCtx *, const SigMatchData *, const Signature *,
         const uint8_t *, uint32_t, uint64_t *, uint8_t);
 

diff --git a/src/detect-byte.c b/src/detect-byte.c
index 506909adc352bf4f7c82565f8c591e5b1b7f537b..3f8735b11979f42a231a2d55fa31f1b7ae26b50f 100644 (file)
--- a/src/detect-byte.c
+++ b/src/detect-byte.c
@@ -32,20 +32,22 @@
  *
  * \param arg The name of the variable being sought
  * \param s The signature to check for the variable
+ * \param sm_list The caller's matching buffer
  * \param index When found, the value of the slot within the byte vars
  *
  * \retval true A match for the variable was found.
  * \retval false
  */
-bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
+bool DetectByteRetrieveSMVar(
+        const char *arg, const Signature *s, int sm_list, DetectByteIndexType *index)
 {
-    SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(arg, s);
+    SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(arg, sm_list, s);
     if (bed_sm != NULL) {
         *index = ((SCDetectByteExtractData *)bed_sm->ctx)->local_id;
         return true;
     }
 
-    SigMatch *bmd_sm = DetectByteMathRetrieveSMVar(arg, s);
+    SigMatch *bmd_sm = DetectByteMathRetrieveSMVar(arg, sm_list, s);
     if (bmd_sm != NULL) {
         *index = ((DetectByteMathData *)bmd_sm->ctx)->local_id;
         return true;

diff --git a/src/detect-byte.h b/src/detect-byte.h
index b6b1de03a0f9c980652492246f8a5cdf47a1c4b0..fd251885120f8aadca837d6d4ec3de7b063e99c3 100644 (file)
--- a/src/detect-byte.h
+++ b/src/detect-byte.h
@@ -27,6 +27,6 @@
 
 typedef uint8_t DetectByteIndexType;
 
-bool DetectByteRetrieveSMVar(const char *, const Signature *, DetectByteIndexType *);
+bool DetectByteRetrieveSMVar(const char *, const Signature *, int sm_list, DetectByteIndexType *);
 
 #endif /* SURICATA_DETECT_BYTE_H */

diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c
index 0efdc44999b05cd9a9b014d1bc931c8513f466a6..6b0363f0985fcafacb264b5b8f5cbfe264308102 100644 (file)
--- a/src/detect-bytejump.c
+++ b/src/detect-bytejump.c
@@ -544,7 +544,7 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
     if (nbytes != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(nbytes, s, &index)) {
+        if (!DetectByteRetrieveSMVar(nbytes, s, sm_list, &index)) {
             SCLogError("Unknown byte_extract var "
                        "seen in byte_jump - %s",
                     nbytes);
@@ -557,7 +557,7 @@ static int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
     if (offset != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(offset, s, &index)) {
+        if (!DetectByteRetrieveSMVar(offset, s, sm_list, &index)) {
             SCLogError("Unknown byte_extract var "
                        "seen in byte_jump - %s",
                     offset);

diff --git a/src/detect-bytemath.c b/src/detect-bytemath.c
index 140cbb85107901d329041c84b6a6ba083c5736c2..053e07f28b650cb548f7c7a40ed59183fe3dc25d 100644 (file)
--- a/src/detect-bytemath.c
+++ b/src/detect-bytemath.c
@@ -359,7 +359,7 @@ static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
     if (nbytes != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(nbytes, s, &index)) {
+        if (!DetectByteRetrieveSMVar(nbytes, s, sm_list, &index)) {
             SCLogError("unknown byte_ keyword var seen in byte_math - %s", nbytes);
             goto error;
         }
@@ -371,7 +371,7 @@ static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
     if (rvalue != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(rvalue, s, &index)) {
+        if (!DetectByteRetrieveSMVar(rvalue, s, sm_list, &index)) {
             SCLogError("unknown byte_ keyword var seen in byte_math - %s", rvalue);
             goto error;
         }
@@ -441,7 +441,7 @@ static void DetectByteMathFree(DetectEngineCtx *de_ctx, void *ptr)
  *
  * \retval A pointer to the SigMatch if found, otherwise NULL.
  */
-SigMatch *DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
+SigMatch *DetectByteMathRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
 {
     for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
         SigMatch *sm = s->init_data->buffers[x].head;
@@ -460,7 +460,8 @@ SigMatch *DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
     for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
         SigMatch *sm = s->init_data->smlists[list];
         while (sm != NULL) {
-            if (sm->type == DETECT_BYTEMATH) {
+            // Make sure that the linked buffers ore on the same list
+            if (sm->type == DETECT_BYTEMATH && (sm_list == -1 || sm_list == list)) {
                 const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
                 if (strcmp(bmd->result, arg) == 0) {
                     SCLogDebug("Retrieved SM for \"%s\"", arg);

diff --git a/src/detect-bytemath.h b/src/detect-bytemath.h
index 347c0e467288b9c0536b8a3193afd019fc01b333..85ac9077eed9a11d131508edaf4508d185b94020 100644 (file)
--- a/src/detect-bytemath.h
+++ b/src/detect-bytemath.h
@@ -26,7 +26,7 @@
 
 void DetectBytemathRegister(void);
 
-SigMatch *DetectByteMathRetrieveSMVar(const char *, const Signature *);
+SigMatch *DetectByteMathRetrieveSMVar(const char *, int sm_list, const Signature *);
 int DetectByteMathDoMatch(DetectEngineThreadCtx *, const DetectByteMathData *, const Signature *,
         const uint8_t *, const uint32_t, uint8_t, uint64_t, uint64_t *, uint8_t);
 

diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c
index faf4804373b241ffb38b98fc622e037cba4b859a..7714e7b0ff53d62dba3217a08f9c244d2ca10ec1 100644 (file)
--- a/src/detect-bytetest.c
+++ b/src/detect-bytetest.c
@@ -646,7 +646,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
     if (value != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(value, s, &index)) {
+        if (!DetectByteRetrieveSMVar(value, s, sm_list, &index)) {
             SCLogError("Unknown byte_extract var "
                        "seen in byte_test - %s",
                     value);
@@ -660,7 +660,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
     if (offset != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(offset, s, &index)) {
+        if (!DetectByteRetrieveSMVar(offset, s, sm_list, &index)) {
             SCLogError("Unknown byte_extract var "
                        "seen in byte_test - %s",
                     offset);
@@ -674,7 +674,7 @@ static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 
     if (nbytes != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(nbytes, s, &index)) {
+        if (!DetectByteRetrieveSMVar(nbytes, s, sm_list, &index)) {
             SCLogError("Unknown byte_extract var "
                        "seen in byte_test - %s",
                     nbytes);

diff --git a/src/detect-depth.c b/src/detect-depth.c
index 1c4f94a396f074580c4bda5b7f38e25192edfe17..7c0bf5bfe5f3c50508a1ddffe0f439942c891456 100644 (file)
--- a/src/detect-depth.c
+++ b/src/detect-depth.c
@@ -106,7 +106,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, const char *
     }
     if (str[0] != '-' && isalpha((unsigned char)str[0])) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(str, s, &index)) {
+        if (!DetectByteRetrieveSMVar(str, s, -1, &index)) {
             SCLogError("unknown byte_ keyword var "
                        "seen in depth - %s.",
                     str);

diff --git a/src/detect-distance.c b/src/detect-distance.c
index 1ed66b1245f07d4c3cc0d6bd2800d009aba06371..43b48ba799cc25af2df28a4bb463becde3ee72e9 100644 (file)
--- a/src/detect-distance.c
+++ b/src/detect-distance.c
@@ -108,7 +108,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
     }
     if (str[0] != '-' && isalpha((unsigned char)str[0])) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(str, s, &index)) {
+        if (!DetectByteRetrieveSMVar(str, s, -1, &index)) {
             SCLogError("unknown byte_ keyword var "
                        "seen in distance - %s",
                     str);

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index cfc57940c1c9479f5fe8d6b005214b04bfe160a4..3e9841314ef07aa9a919e0982ce6a930f080f59a 100644 (file)
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -532,12 +532,15 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
 
         if (bjflags & DETECT_BYTEJUMP_OFFSET_VAR) {
             offset = det_ctx->byte_values[offset];
+            SCLogDebug("[BJ] using offset value %d", offset);
         }
 
         if (bjflags & DETECT_BYTEJUMP_NBYTES_VAR) {
             nbytes = det_ctx->byte_values[bjd->nbytes];
+            SCLogDebug("[BJ] using nbytes value %d [index %d]", nbytes, bjd->nbytes);
         } else {
             nbytes = bjd->nbytes;
+            SCLogDebug("[BJ] using nbytes value %d [index n/a]", nbytes);
         }
 
         /* if we have dce enabled we will have to use the endianness

diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c
index 03516ec6f741d535e13cf0b685d9c773a7e658ca..a958a829e8513225643480e27d9e403a6dd829de 100644 (file)
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@@ -347,7 +347,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, const char *isda
 
     if (offset != NULL) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(offset, s, &index)) {
+        if (!DetectByteRetrieveSMVar(offset, s, -1, &index)) {
             SCLogError("Unknown byte_extract var "
                        "seen in isdataat - %s\n",
                     offset);

diff --git a/src/detect-offset.c b/src/detect-offset.c
index dd56e9a48260b77987bc8d48a8bafa0b1695ff47..91d02b2882e38e4ceb8716d22ed4b04197d549ac 100644 (file)
--- a/src/detect-offset.c
+++ b/src/detect-offset.c
@@ -92,7 +92,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, const char *offset
     }
     if (str[0] != '-' && isalpha((unsigned char)str[0])) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(str, s, &index)) {
+        if (!DetectByteRetrieveSMVar(str, s, -1, &index)) {
             SCLogError("unknown byte_ keyword var "
                        "seen in offset - %s.",
                     str);

diff --git a/src/detect-within.c b/src/detect-within.c
index 91662e070fde755bf08726313030730540832747..f18a9347db8d17f436c136a9fabb9ed0988480e7 100644 (file)
--- a/src/detect-within.c
+++ b/src/detect-within.c
@@ -104,7 +104,7 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, const char *
     }
     if (str[0] != '-' && isalpha((unsigned char)str[0])) {
         DetectByteIndexType index;
-        if (!DetectByteRetrieveSMVar(str, s, &index)) {
+        if (!DetectByteRetrieveSMVar(str, s, -1, &index)) {
             SCLogError("unknown byte_ keyword var "
                        "seen in within - %s",
                     str);

diff --git a/src/util-lua-bytevarlib.c b/src/util-lua-bytevarlib.c
index e310f43f6de2a3859d26a5bdb0dcce260ec4badf..bea9a4ce948108d08fe709f5bcbc144594d619a7 100644 (file)
--- a/src/util-lua-bytevarlib.c
+++ b/src/util-lua-bytevarlib.c
@@ -55,7 +55,7 @@ static int LuaBytevarMap(lua_State *L)
     }
 
     DetectByteIndexType idx;
-    if (!DetectByteRetrieveSMVar(name, s, &idx)) {
+    if (!DetectByteRetrieveSMVar(name, s, -1, &idx)) {
         luaL_error(L, "unknown byte_extract or byte_math variable: %s", name);
     }