From ba1e2ed69db37b6a0c7f036589af93e8b412108e Mon Sep 17 00:00:00 2001 From: Ken Steele Date: Fri, 18 Jul 2014 12:14:06 -0400 Subject: [PATCH] Fix Boyer Moore Nocase bug where BoyerMooreCtxToNocase was missing. Whenever DETECT_CONTENT_NOCASE is set for a BoyerMoore matcher, the function BoyerMooreCtxToNocase() must be called. This call was missing in AppLayerProtoDetectPMRegisterPattern(). Also created BoyerMooreNocaseCtxInit() that calls BoyerMooreCtxToNocase() to make some code cleaner and safer. --- src/app-layer-detect-proto.c | 4 +++- src/detect-filemagic.c | 5 ++--- src/detect-filename.c | 5 ++--- src/util-spm-bm.c | 21 +++++++++++++++++++-- src/util-spm-bm.h | 1 + src/util-spm.c | 10 +++------- 6 files changed, 30 insertions(+), 16 deletions(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 61263adf95..b5b380cdbb 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -1253,8 +1253,10 @@ static int AppLayerProtoDetectPMRegisterPattern(uint8_t ipproto, AppProto alprot goto error; cd->depth = depth; cd->offset = offset; - if (!is_cs) + if (!is_cs) { + BoyerMooreCtxToNocase(cd->bm_ctx, cd->content, cd->content_len); cd->flags |= DETECT_CONTENT_NOCASE; + } if (depth < cd->content_len) goto error; diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index cd00d38671..8593f5a7f8 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2012 Open Information Security Foundation +/* Copyright (C) 2007-2014 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -268,7 +268,7 @@ static DetectFilemagicData *DetectFilemagicParse (char *str) goto error; } - filemagic->bm_ctx = BoyerMooreCtxInit(filemagic->name, filemagic->len); + filemagic->bm_ctx = BoyerMooreNocaseCtxInit(filemagic->name, filemagic->len); if (filemagic->bm_ctx == NULL) { goto error; } @@ -278,7 +278,6 @@ static DetectFilemagicData *DetectFilemagicParse (char *str) SCLogDebug("negated filemagic"); } - BoyerMooreCtxToNocase(filemagic->bm_ctx, filemagic->name, filemagic->len); #ifdef DEBUG if (SCLogDebugEnabled()) { char *name = SCMalloc(filemagic->len + 1); diff --git a/src/detect-filename.c b/src/detect-filename.c index a40da3ba92..17c049b740 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2012 Open Information Security Foundation +/* Copyright (C) 2007-2014 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -154,7 +154,7 @@ static DetectFilenameData *DetectFilenameParse (char *str) goto error; } - filename->bm_ctx = BoyerMooreCtxInit(filename->name, filename->len); + filename->bm_ctx = BoyerMooreNocaseCtxInit(filename->name, filename->len); if (filename->bm_ctx == NULL) { goto error; } @@ -164,7 +164,6 @@ static DetectFilenameData *DetectFilenameParse (char *str) SCLogDebug("negated filename"); } - BoyerMooreCtxToNocase(filename->bm_ctx, filename->name, filename->len); #ifdef DEBUG if (SCLogDebugEnabled()) { char *name = SCMalloc(filename->len + 1); diff --git a/src/util-spm-bm.c b/src/util-spm-bm.c index c978e19219..c0f385863a 100644 --- a/src/util-spm-bm.c +++ b/src/util-spm-bm.c @@ -65,7 +65,7 @@ void BoyerMooreCtxToNocase(BmCtx *bm_ctx, uint8_t *needle, uint16_t needle_len) } /** - * \brief Setup a Booyer More context. + * \brief Setup a Booyer Moore context. * * \param str pointer to the pattern string * \param size length of the string @@ -98,7 +98,24 @@ BmCtx *BoyerMooreCtxInit(uint8_t *needle, uint16_t needle_len) { } /** - * \brief Free the memory allocated to Booyer More context. + * \brief Setup a Booyer Moore context for nocase search + * + * \param str pointer to the pattern string + * \param size length of the string + * \retval BmCtx pointer to the newly created Context for the pattern + * \initonly BoyerMoore contexts should be created at init + */ +BmCtx *BoyerMooreNocaseCtxInit(uint8_t *needle, uint16_t needle_len) +{ + BmCtx *bm_ctx = BoyerMooreCtxInit(needle, needle_len); + + BoyerMooreCtxToNocase(bm_ctx, needle, needle_len); + + return bm_ctx; +} + +/** + * \brief Free the memory allocated to Booyer Moore context. * * \param bmCtx pointer to the Context for the pattern */ diff --git a/src/util-spm-bm.h b/src/util-spm-bm.h index 2ee2d945da..b3b97ced4b 100644 --- a/src/util-spm-bm.h +++ b/src/util-spm-bm.h @@ -38,6 +38,7 @@ typedef struct BmCtx_ { /** Prepare and return a Boyer Moore context */ BmCtx *BoyerMooreCtxInit(uint8_t *needle, uint16_t needle_len); +BmCtx *BoyerMooreNocaseCtxInit(uint8_t *needle, uint16_t needle_len); void BoyerMooreCtxToNocase(BmCtx *, uint8_t *, uint16_t); uint8_t *BoyerMoore(uint8_t *x, uint16_t m, uint8_t *y, int32_t n, BmCtx *bm_ctx); diff --git a/src/util-spm.c b/src/util-spm.c index 95eba9d974..208b9081d8 100644 --- a/src/util-spm.c +++ b/src/util-spm.c @@ -122,8 +122,7 @@ uint8_t *BoyerMooreSearch(uint8_t *text, uint32_t textlen, uint8_t *needle, uint */ uint8_t *BoyerMooreNocaseSearch(uint8_t *text, uint32_t textlen, uint8_t *needle, uint16_t needlelen) { - BmCtx *bm_ctx = BoyerMooreCtxInit(needle, needlelen); - BoyerMooreCtxToNocase(bm_ctx, needle, needlelen); + BmCtx *bm_ctx = BoyerMooreNocaseCtxInit(needle, needlelen); uint8_t *ret = BoyerMooreNocase(needle, needlelen, text, textlen, bm_ctx); BoyerMooreCtxDeInit(bm_ctx); @@ -256,8 +255,7 @@ uint8_t *BoyerMooreNocaseWrapper(uint8_t *text, uint8_t *in_needle, int times) return NULL; memcpy(needle, in_needle, needlelen); - BmCtx *bm_ctx = BoyerMooreCtxInit(needle, needlelen); - BoyerMooreCtxToNocase(bm_ctx, needle, needlelen); + BmCtx *bm_ctx = BoyerMooreNocaseCtxInit(needle, needlelen); uint8_t *ret = NULL; int i = 0; @@ -409,7 +407,7 @@ uint8_t *BoyerMooreNocaseCtxWrapper(uint8_t *text, uint8_t *in_needle, int times return NULL; memcpy(needle, in_needle, needlelen); - BmCtx *bm_ctx = BoyerMooreCtxInit(needle, needlelen); + BmCtx *bm_ctx = BoyerMooreNocaseCtxInit(needle, needlelen); uint8_t *ret = NULL; int i = 0; @@ -417,8 +415,6 @@ uint8_t *BoyerMooreNocaseCtxWrapper(uint8_t *text, uint8_t *in_needle, int times CLOCK_INIT; if (times > 1) CLOCK_START; for (i = 0; i < times; i++) { - /* Stats including context building */ - BoyerMooreCtxToNocase(bm_ctx, needle, needlelen); ret = BoyerMooreNocase(needle, needlelen, text, textlen, bm_ctx); } if (times > 1) { CLOCK_END; CLOCK_PRINT_SEC; };