Actions
Bug #8031
openDifferent semantics between absolute and relative isdataat
Affected Versions:
Effort:
Difficulty:
Label:
Description
There seems to be an off by one error in isdataat's implementation. Below is the code that handles isdataat in detect-engine-content-inspection.c. Consider the following two scenarios:
1. isdataat is used absolutely with a value equal to the packet length. In that case, dataat < buffer_len would be false, thus it would not be a match.
2. isdataat is used relatively with a value equal to the packet length and the current offset is 0. In that case, det_ctx->buffer_offset + dataat > buffer_len is false, which results in a match.
However, I'd expect a relative isdataat from offset 0 to behave the same as an absolute isdataat.
if (id->flags & ISDATAAT_RELATIVE) {
if (det_ctx->buffer_offset + dataat > buffer_len) {
SCLogDebug("det_ctx->buffer_offset + dataat %"PRIu32" > %"PRIu32, det_ctx->buffer_offset + dataat, buffer_len);
if (id->flags & ISDATAAT_NEGATED)
goto match;
if ((id->flags & ISDATAAT_OFFSET_VAR) == 0) {
goto no_match_discontinue;
}
goto no_match;
} else {
SCLogDebug("relative isdataat match");
if (id->flags & ISDATAAT_NEGATED) {
goto no_match;
}
goto match;
}
} else {
if (dataat < buffer_len) {
SCLogDebug("absolute isdataat match");
if (id->flags & ISDATAAT_NEGATED) {
if ((id->flags & ISDATAAT_OFFSET_VAR) == 0) {
goto no_match_discontinue;
}
goto no_match;
}
goto match;
} else {
SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", buffer_len %"PRIu32"", dataat, buffer_len);
if (id->flags & ISDATAAT_NEGATED)
goto match;
if ((id->flags & ISDATAAT_OFFSET_VAR) == 0) {
goto no_match_discontinue;
}
goto no_match;
}
}
No data to display
Actions