From a18e2ef4022212c574dae3aca2df0e80502d792a Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 29 Sep 2014 10:00:06 -0600 Subject: [PATCH] Bug 1230: Check all SigMatch lists for a named byte_extract variable. --- src/detect-byte-extract.c | 32 ++++++++++++++++++++------------ src/detect-byte-extract.h | 2 +- src/detect-bytejump.c | 2 +- src/detect-bytetest.c | 4 ++-- src/detect-depth.c | 2 +- src/detect-distance.c | 2 +- src/detect-isdataat.c | 2 +- src/detect-offset.c | 2 +- src/detect-within.c | 14 +------------- 9 files changed, 29 insertions(+), 33 deletions(-) diff --git a/src/detect-byte-extract.c b/src/detect-byte-extract.c index 8d0c1bffac..8dda193aa0 100644 --- a/src/detect-byte-extract.c +++ b/src/detect-byte-extract.c @@ -770,22 +770,30 @@ void DetectByteExtractFree(void *ptr) return; } -SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, Signature *s, int list) +/** + * \brief Lookup the SigMatch for a named byte_extract variable. + * + * \param arg The name of the byte_extract variable to lookup. + * \param s Pointer the signature to look in. + * + * \retval A pointer to the SigMatch if found, otherwise NULL. + */ +SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, Signature *s) { - if (list == -1) - return NULL; - DetectByteExtractData *bed = NULL; - SigMatch *sm = s->sm_lists[list]; - - while (sm != NULL) { - if (sm->type == DETECT_BYTE_EXTRACT) { - bed = (DetectByteExtractData *)sm->ctx; - if (strcmp(bed->name, arg) == 0) { - return sm; + int list; + + for (list = 0; list < DETECT_SM_LIST_MAX; list++) { + SigMatch *sm = s->sm_lists[list]; + while (sm != NULL) { + if (sm->type == DETECT_BYTE_EXTRACT) { + bed = (DetectByteExtractData *)sm->ctx; + if (strcmp(bed->name, arg) == 0) { + return sm; + } } + sm = sm->next; } - sm = sm->next; } return NULL; diff --git a/src/detect-byte-extract.h b/src/detect-byte-extract.h index eb889d7384..020494da0e 100644 --- a/src/detect-byte-extract.h +++ b/src/detect-byte-extract.h @@ -64,7 +64,7 @@ int DetectByteExtractSetup(DetectEngineCtx *, Signature *, char *); void DetectByteExtractFree(void *); int DetectByteExtractMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); -SigMatch *DetectByteExtractRetrieveSMVar(const char *, Signature *, int); +SigMatch *DetectByteExtractRetrieveSMVar(const char *, Signature *); int DetectByteExtractDoMatch(DetectEngineThreadCtx *, SigMatch *, Signature *, uint8_t *, uint16_t, uint64_t *, uint8_t); diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index f138f74ad0..0542af6675 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -698,7 +698,7 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) } if (offset != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_jump - %s\n", offset); diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 718a84788e..47ede78f9c 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -623,7 +623,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) } if (value != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(value, s, sm_list); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(value, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_test - %s\n", value); @@ -635,7 +635,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) } if (offset != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in byte_test - %s\n", offset); diff --git a/src/detect-depth.c b/src/detect-depth.c index 53adf46063..4aa33dee12 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -127,7 +127,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths goto end; } if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " "seen in depth - %s\n", str); diff --git a/src/detect-distance.c b/src/detect-distance.c index 2877deead8..14af5c27ee 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -133,7 +133,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, goto end; } if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " "seen in distance - %s\n", str); diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 9c515c145d..e8e11df1c1 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -375,7 +375,7 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst } if (offset != NULL) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s, sm_list); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var " "seen in isdataat - %s\n", offset); diff --git a/src/detect-offset.c b/src/detect-offset.c index 5786ac3f2f..6797267d05 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -127,7 +127,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) } if (str[0] != '-' && isalpha((unsigned char)str[0])) { SigMatch *bed_sm = - DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + DetectByteExtractRetrieveSMVar(str, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " "seen in offset - %s\n", str); diff --git a/src/detect-within.c b/src/detect-within.c index cdea61142f..0aefdffc81 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -138,7 +138,7 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, char *within goto end; } if (str[0] != '-' && isalpha((unsigned char)str[0])) { - SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s, SigMatchListSMBelongsTo(s, pm)); + SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s); if (bed_sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var " "seen in within - %s\n", str); @@ -251,7 +251,6 @@ static int DetectWithinTestVarSetup(void) { DetectEngineCtx *de_ctx = NULL; int result = 0; -#if 1 /* FAILs */ char sig[] = "alert tcp any any -> any any ( " "msg:\"test rule\"; " "content:\"abc\"; " @@ -261,17 +260,6 @@ static int DetectWithinTestVarSetup(void) "within:somevar; " "http_client_body; " "sid:4; rev:1;)"; -#else /* WORKs */ - char sig[] = "alert tcp any any -> any any ( " - "msg:\"test rule\"; " - "content:\"abc\"; " - "http_client_body; " - "byte_extract:2,0,somevar,relative; " - "content:\"def\"; " - "http_client_body; " - "within:somevar; " - "sid:4; rev:1;)"; -#endif de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) {