From 68ddea0b26dd018a847c8be80d00c1998051946d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sat, 21 Oct 2017 10:00:47 +0200
Subject: [PATCH] detect: implement byte_extract support for isdataat

---
 src/detect-engine-content-inspection.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 7c69c236e1..d6e355b2e3 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -362,10 +362,16 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
     } else if (smd->type == DETECT_ISDATAAT) {
         SCLogDebug("inspecting isdataat");
 
-        DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
+        const DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
+        uint32_t dataat = id->dataat;
+        if (id->flags & ISDATAAT_OFFSET_BE) {
+            dataat = det_ctx->bj_values[dataat];
+            SCLogDebug("isdataat: using value %u from byte_extract local_id %u", dataat, id->dataat);
+        }
+
         if (id->flags & ISDATAAT_RELATIVE) {
-            if (det_ctx->buffer_offset + id->dataat > buffer_len) {
-                SCLogDebug("det_ctx->buffer_offset + id->dataat %"PRIu32" > %"PRIu32, det_ctx->buffer_offset + id->dataat, buffer_len);
+            if (det_ctx->buffer_offset + dataat > buffer_len) {
+                SCLogDebug("det_ctx->buffer_offset + dataat %"PRIu32" > %"PRIu32, det_ctx->buffer_offset + dataat, buffer_len);
                 if (id->flags & ISDATAAT_NEGATED)
                     goto match;
                 goto no_match;
@@ -376,13 +382,13 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
                 goto match;
             }
         } else {
-            if (id->dataat < buffer_len) {
+            if (dataat < buffer_len) {
                 SCLogDebug("absolute isdataat match");
                 if (id->flags & ISDATAAT_NEGATED)
                     goto no_match;
                 goto match;
             } else {
-                SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", buffer_len %"PRIu32"", id->dataat, buffer_len);
+                SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", buffer_len %"PRIu32"", dataat, buffer_len);
                 if (id->flags & ISDATAAT_NEGATED)
                     goto match;
                 goto no_match;