aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: fix rule inspection order

Browse Source 
Fix rules from the 'match' list getting added to the tx candidates list
unsorted. In some cases this could lead to the same sid getting inspected
twice leading to a DEBUG_VALIDATION_BUG_ON trigger.

Bug: #5144.
pull/7308/head
Victor Julien 3 years ago
parent c40df43609
commit 4bb00964ac
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File

17
src/detect.c
Unescape Escape View File

@ -1320,6 +1320,7 @@ static void DetectRunTx(ThreadVars *tv,
}
tx_id_min = tx.tx_id + 1; // next look for cur + 1
bool do_sort = false; // do we need to sort the tx candidate list?
uint32_t array_idx = 0;
uint32_t total_rules = det_ctx->match_array_cnt;
total_rules += (tx.de_state ? tx.de_state->cnt : 0);
@ -1370,8 +1371,9 @@ static void DetectRunTx(ThreadVars *tv,
tx.tx_ptr, tx.tx_id, s->id, id);
}
}
SCLogDebug("%p/%"PRIu64" rules added from 'match' list: %u",
tx.tx_ptr, tx.tx_id, array_idx - x); (void)x;
do_sort = (array_idx > x); // sort if match added anything
SCLogDebug("%p/%" PRIu64 " rules added from 'match' list: %u", tx.tx_ptr, tx.tx_id,
array_idx - x);
/* merge stored state into results */
if (tx.de_state != NULL) {
@ -1411,14 +1413,15 @@ static void DetectRunTx(ThreadVars *tv,
array_idx++;
}
}
if (old && old != array_idx) {
do_sort |= (old && old != array_idx); // sort if continue list adds sids
SCLogDebug("%p/%" PRIu64 " rules added from 'continue' list: %u", tx.tx_ptr, tx.tx_id,
array_idx - old);
}
if (do_sort) {
qsort(det_ctx->tx_candidates, array_idx, sizeof(RuleMatchCandidateTx),
DetectRunTxSortHelper);
SCLogDebug("%p/%"PRIu64" rules added from 'continue' list: %u",
tx.tx_ptr, tx.tx_id, array_idx - old);
}
}
#ifdef PROFILING
if (array_idx >= de_ctx->profile_match_logging_threshold)
RulesDumpTxMatchArray(det_ctx, scratch->sgh, p, tx.tx_id, array_idx, x);

Write Preview
Loading…
Cancel
Save