|
|
|
@ -100,7 +100,6 @@ int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
|
|
|
|
|
|
|
|
|
|
|
|
const DetectBytejumpData *data = (const DetectBytejumpData *)ctx;
|
|
|
|
const DetectBytejumpData *data = (const DetectBytejumpData *)ctx;
|
|
|
|
const uint8_t *ptr = NULL;
|
|
|
|
const uint8_t *ptr = NULL;
|
|
|
|
const uint8_t *jumpptr = NULL;
|
|
|
|
|
|
|
|
int32_t len = 0;
|
|
|
|
int32_t len = 0;
|
|
|
|
uint64_t val = 0;
|
|
|
|
uint64_t val = 0;
|
|
|
|
int extbytes;
|
|
|
|
int extbytes;
|
|
|
|
@ -170,38 +169,35 @@ int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
|
|
|
|
|
|
|
|
|
|
|
|
/* Calculate the jump location */
|
|
|
|
/* Calculate the jump location */
|
|
|
|
if (flags & DETECT_BYTEJUMP_BEGIN) {
|
|
|
|
if (flags & DETECT_BYTEJUMP_BEGIN) {
|
|
|
|
jumpptr = payload + val;
|
|
|
|
SCLogDebug("NEWVAL: payload %p + %" PRIu64, payload, val);
|
|
|
|
SCLogDebug("NEWVAL: payload %p + %" PRIu64 "= %p", payload, val, jumpptr);
|
|
|
|
|
|
|
|
} else if (flags & DETECT_BYTEJUMP_END) {
|
|
|
|
} else if (flags & DETECT_BYTEJUMP_END) {
|
|
|
|
jumpptr = payload + payload_len + val;
|
|
|
|
val = payload_len + val;
|
|
|
|
SCLogDebug("NEWVAL: payload %p + %" PRIu32 " - %" PRIu64 " = %p", payload, payload_len, val, jumpptr);
|
|
|
|
SCLogDebug("NEWVAL: payload %p + %" PRIu32 " - %" PRIu64, payload, payload_len, val);
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
val += extbytes;
|
|
|
|
val += (ptr - payload) + extbytes;
|
|
|
|
jumpptr = ptr + val;
|
|
|
|
SCLogDebug("NEWVAL: ptr %p + %" PRIu64, ptr, val);
|
|
|
|
SCLogDebug("NEWVAL: ptr %p + %" PRIu64 " = %p", ptr, val, jumpptr);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Validate that the jump location is still in the packet
|
|
|
|
/* Validate that the jump location is still in the packet
|
|
|
|
* \todo Should this validate it is still in the *payload*?
|
|
|
|
* \todo Should this validate it is still in the *payload*?
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
if ((jumpptr < payload) || (jumpptr >= payload + payload_len)) {
|
|
|
|
if (val >= payload_len) {
|
|
|
|
SCLogDebug("Jump location (%p) is not within "
|
|
|
|
SCLogDebug("Jump location (%" PRIu64 ") is not within "
|
|
|
|
"payload (%p-%p)", jumpptr, payload, payload + payload_len - 1);
|
|
|
|
"payload (%" PRIu32 ")",
|
|
|
|
|
|
|
|
val, payload_len);
|
|
|
|
SCReturnInt(0);
|
|
|
|
SCReturnInt(0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
#ifdef DEBUG
|
|
|
|
if (SCLogDebugEnabled()) {
|
|
|
|
if (SCLogDebugEnabled()) {
|
|
|
|
const uint8_t *sptr = (flags & DETECT_BYTEJUMP_BEGIN) ? payload : ptr;
|
|
|
|
const uint8_t *sptr = (flags & DETECT_BYTEJUMP_BEGIN) ? payload : ptr;
|
|
|
|
SCLogDebug("jumping %" PRId64 " bytes from %p (%08x) to %p (%08x)",
|
|
|
|
SCLogDebug("jumping %" PRId64 " bytes from %p (%08x)", val, sptr, (int)(sptr - payload));
|
|
|
|
val, sptr, (int)(sptr - payload),
|
|
|
|
|
|
|
|
jumpptr, (int)(jumpptr - payload));
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* DEBUG */
|
|
|
|
#endif /* DEBUG */
|
|
|
|
|
|
|
|
|
|
|
|
/* Adjust the detection context to the jump location. */
|
|
|
|
/* Adjust the detection context to the jump location. */
|
|
|
|
det_ctx->buffer_offset = jumpptr - payload;
|
|
|
|
det_ctx->buffer_offset = val;
|
|
|
|
|
|
|
|
|
|
|
|
SCReturnInt(1);
|
|
|
|
SCReturnInt(1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Philippe Antoine
3 years ago
committed by
Victor Julien