From f318a46d34b29bd5b0a5c9cafdbe3376f1cd4d7d Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 23 Nov 2019 14:35:40 -0500
Subject: [PATCH] detect: Improve handling of variable values

When one of offset/depth/distance is from a variable, adjust the depth
by the offset as is done with scalar values at parse time.
---
 src/detect-engine-content-inspection.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 4756b4dc51..7daa59e98d 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -247,6 +247,13 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
                 prev_buffer_offset = 0;
             }
 
+            /* If the value came from a variable, make sure to adjust the depth so it's relative
+             * to the offset value.
+             */
+            if (cd->flags & (DETECT_CONTENT_DISTANCE_BE|DETECT_CONTENT_OFFSET_BE|DETECT_CONTENT_DEPTH_BE)) {
+                 depth += offset;
+            }
+
             /* update offset with prev_offset if we're searching for
              * matches after the first occurence. */
             SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, offset, prev_offset);