Project

General

Profile

Download (12.1 KB)

Bug #207 » 0001-Fix-for-bug-207-depth-offset-not-correctly-updated-o.patch

We were not handling correctly the combination of depth/offset on certain cases. The attached patch fix this issue. - Pablo Rincon, 07/21/2010 01:32 PM

View differences:

src/detect-content.c
data->flags & DETECT_CONTENT_WITHIN ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
......
!(data->flags & DETECT_CONTENT_WITHIN) ||
data->flags & DETECT_CONTENT_DISTANCE ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
......
!(data->flags & DETECT_CONTENT_WITHIN) ||
data->flags & DETECT_CONTENT_DISTANCE ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
result &= (data->within == 10 && data->offset == 10 && data->depth == 13);
result &= (data->within == 10 && data->offset == 10 && data->depth == 23);
data = (DetectContentData *)s->dmatch->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
result &= (data->offset == 5 && data->depth == 9);
result &= (data->offset == 5 && data->depth == 14);
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
......
data->flags & DETECT_CONTENT_WITHIN ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
......
!(data->flags & DETECT_CONTENT_WITHIN) ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
......
data->flags & DETECT_CONTENT_WITHIN ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
......
data->flags & DETECT_CONTENT_WITHIN ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
......
data->flags & DETECT_CONTENT_WITHIN ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
data->flags & DETECT_CONTENT_NEGATED ||
result == 0) {
result = 0;
goto end;
}
src/detect-depth.c
return -1;
}
ud->depth = (uint32_t)atoi(str);
if (ud->uricontent_len + ud->offset > ud->depth) {
uint32_t depth = (ud->depth > ud->uricontent_len) ?
ud->depth : ud->uricontent_len;
ud->depth = ud->offset + depth;
SCLogDebug("depth increased to %"PRIu32" to match pattern len "
"and offset", ud->depth);
if (ud->depth < ud->uricontent_len) {
ud->depth = ud->uricontent_len;
SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
ud->depth);
}
/* Now update the real limit, as depth is relative to the offset */
ud->depth += ud->offset;
}
break;
......
return -1;
}
cd->depth = (uint32_t)atoi(str);
if (cd->content_len + cd->offset > cd->depth) {
uint32_t depth = (cd->depth > cd->content_len) ?
cd->depth : cd->content_len;
cd->depth = cd->offset + depth;
SCLogDebug("depth increased to %"PRIu32" to match pattern len "
"and offset", cd->depth);
if (cd->depth < cd->content_len) {
cd->depth = cd->content_len;
SCLogDebug("depth increased to %"PRIu32" to match pattern len ",
cd->depth);
}
/* Now update the real limit, as depth is relative to the offset */
cd->depth += cd->offset;
}
break;
src/detect-offset.c
return -1;
}
ud->offset = (uint32_t)atoi(str);
if (ud->depth != 0 && (ud->uricontent_len + ud->offset) > ud->depth) {
if (ud->depth > ud->uricontent_len) {
SCLogDebug("depth increased to %"PRIu32" to match pattern len"
" and offset", ud->depth + ud->offset);
ud->depth += ud->offset;
} else {
SCLogDebug("depth increased to %"PRIu32" to match pattern len"
" and offset", ud->uricontent_len + ud->offset);
ud->depth = ud->uricontent_len + ud->offset;
if (ud->depth != 0) {
if (ud->depth < ud->uricontent_len) {
SCLogDebug("depth increased to %"PRIu32" to match pattern len",
ud->uricontent_len);
ud->depth = ud->uricontent_len;
}
/* Updating the depth as is relative to the offset */
ud->depth += ud->offset;
}
break;
......
return -1;
}
cd->offset = (uint32_t)atoi(str);
if (cd->depth != 0 && (cd->content_len + cd->offset) > cd->depth) {
if (cd->depth > cd->content_len) {
SCLogDebug("depth increased to %"PRIu32" to match pattern len"
" and offset", cd->depth + cd->offset);
cd->depth += cd->offset;
} else {
SCLogDebug("depth increased to %"PRIu32" to match pattern len"
" and offset", cd->content_len + cd->offset);
cd->depth = cd->content_len + cd->offset;
if (cd->depth != 0) {
if (cd->depth < cd->content_len) {
SCLogDebug("depth increased to %"PRIu32" to match pattern len",
cd->content_len);
cd->depth = cd->content_len;
}
/* Updating the depth as is relative to the offset */
cd->depth += cd->offset;
}
break;
src/detect-uricontent.c
if (s == NULL ||
s->umatch == NULL ||
s->pmatch == NULL ||
((DetectContentData *)s->pmatch->ctx)->depth != 10 ||
((DetectContentData *)s->pmatch->ctx)->depth != 15 ||
((DetectContentData *)s->pmatch->ctx)->offset != 5 ||
s->match != NULL)
{
......
if (s == NULL ||
s->umatch == NULL ||
s->pmatch == NULL ||
((DetectUricontentData *)s->umatch->ctx)->depth != 10 ||
((DetectUricontentData *)s->umatch->ctx)->depth != 15 ||
((DetectUricontentData *)s->umatch->ctx)->offset != 5 ||
s->match != NULL)
{
......
goto end;
} else if (s->umatch == NULL ||
s->pmatch == NULL ||
((DetectContentData*) s->pmatch->ctx)->depth != 10 ||
((DetectContentData*) s->pmatch->ctx)->depth != 15 ||
((DetectContentData*) s->pmatch->ctx)->offset != 5 ||
((DetectContentData*) s->pmatch_tail->ctx)->within != 30 ||
s->match != NULL)
......
goto end;
} else if (s->umatch == NULL ||
s->pmatch == NULL ||
((DetectContentData*) s->pmatch->ctx)->depth != 10 ||
((DetectContentData*) s->pmatch->ctx)->depth != 15 ||
((DetectContentData*) s->pmatch->ctx)->offset != 5 ||
((DetectUricontentData*) s->umatch_tail->ctx)->within != 30 ||
s->match != NULL)
......
} else if (
s->umatch == NULL ||
s->pmatch == NULL ||
((DetectContentData*) s->pmatch->ctx)->depth != 10 ||
((DetectContentData*) s->pmatch->ctx)->depth != 15 ||
((DetectContentData*) s->pmatch->ctx)->offset != 5 ||
((DetectContentData*) s->pmatch_tail->ctx)->distance != 30 ||
s->match != NULL)
......
} else if (
s->umatch == NULL ||
s->pmatch == NULL ||
((DetectContentData*) s->pmatch->ctx)->depth != 10 ||
((DetectContentData*) s->pmatch->ctx)->depth != 15 ||
((DetectContentData*) s->pmatch->ctx)->offset != 5 ||
((DetectContentData*) s->umatch_tail->ctx)->distance != 30 ||
s->match != NULL)
......
goto end;
}
if ( ((DetectContentData*) s->pmatch->ctx)->depth != 10 ||
if ( ((DetectContentData*) s->pmatch->ctx)->depth != 15 ||
((DetectContentData*) s->pmatch->ctx)->offset != 5 ||
((DetectUricontentData*) s->umatch_tail->ctx)->distance != 30 ||
((DetectUricontentData*) s->umatch_tail->ctx)->within != 60 ||
(3-3/3)