From 359f736542da8d140cfab1631905a83d6416143e Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 19 Sep 2023 14:45:47 +0200 Subject: [PATCH 01/11] util: fix -Wshorten-64-to-32 warnings Ticket: #6186 --- src/tm-threads.c | 2 +- src/unix-manager.c | 10 ++-- src/util-affinity.c | 24 ++++----- src/util-byte.c | 4 +- src/util-classification-config.c | 8 +-- src/util-debug.c | 18 +++---- src/util-fmemopen.c | 16 +++--- src/util-ip.c | 8 +-- src/util-ja3.h | 4 +- src/util-landlock.c | 13 +++-- src/util-logopenfile.c | 2 +- src/util-lua-hashlib.c | 10 ++-- src/util-lua-sandbox.h | 3 +- src/util-proto-name.c | 6 +-- src/util-random.c | 4 +- src/util-reference-config.c | 8 +-- src/util-streaming-buffer.c | 90 ++++++++++++++++++++------------ src/util-thash.c | 2 +- src/util-thash.h | 2 +- src/util-threshold-config.c | 4 +- src/util-time.c | 2 +- src/util-var-name.c | 3 +- 22 files changed, 138 insertions(+), 105 deletions(-) diff --git a/src/tm-threads.c b/src/tm-threads.c index 1638aa5d4db9..516bf997b774 100644 --- a/src/tm-threads.c +++ b/src/tm-threads.c @@ -700,7 +700,7 @@ static int SetCPUAffinitySet(cpu_set_t *cs) int r = thread_policy_set(mach_thread_self(), THREAD_AFFINITY_POLICY, (void*)cs, THREAD_AFFINITY_POLICY_COUNT); #else - pid_t tid = syscall(SYS_gettid); + pid_t tid = (pid_t)syscall(SYS_gettid); int r = sched_setaffinity(tid, sizeof(cpu_set_t), cs); #endif /* OS_FREEBSD */ diff --git a/src/unix-manager.c b/src/unix-manager.c index 38baaac22011..d364985741b8 100644 --- a/src/unix-manager.c +++ b/src/unix-manager.c @@ -106,7 +106,7 @@ typedef struct UnixCommand_ { static int UnixNew(UnixCommand * this) { struct sockaddr_un addr; - int len; + socklen_t len; int ret; int on = 1; char sockettarget[PATH_MAX]; @@ -161,7 +161,7 @@ static int UnixNew(UnixCommand * this) addr.sun_family = AF_UNIX; strlcpy(addr.sun_path, sockettarget, sizeof(addr.sun_path)); addr.sun_path[sizeof(addr.sun_path) - 1] = 0; - len = strlen(addr.sun_path) + sizeof(addr.sun_family) + 1; + len = (socklen_t)(strlen(addr.sun_path) + sizeof(addr.sun_family) + 1); /* create socket */ this->socket = socket(AF_UNIX, SOCK_STREAM, 0); @@ -335,7 +335,7 @@ static int UnixCommandAccept(UnixCommand *this) json_error_t jerror; int client; int client_version; - int ret; + ssize_t ret; UnixClient *uclient = NULL; /* accept client socket */ @@ -537,7 +537,7 @@ static int UnixCommandExecute(UnixCommand * this, char *command, UnixClient *cli static void UnixCommandRun(UnixCommand * this, UnixClient *client) { char buffer[4096]; - int ret; + ssize_t ret; if (client->version <= UNIX_PROTO_V1) { ret = recv(client->fd, buffer, sizeof(buffer) - 1, 0); if (ret <= 0) { @@ -695,7 +695,7 @@ static TmEcode UnixManagerUptimeCommand(json_t *cmd, json_t *server_msg, void *data) { SCEnter(); - int uptime; + time_t uptime; UnixCommand *ucmd = (UnixCommand *)data; uptime = time(NULL) - ucmd->start_timestamp; diff --git a/src/util-affinity.c b/src/util-affinity.c index 8a224711e884..9281b7239ebf 100644 --- a/src/util-affinity.c +++ b/src/util-affinity.c @@ -100,24 +100,24 @@ void BuildCpusetWithCallback(const char *name, ConfNode *node, { ConfNode *lnode; TAILQ_FOREACH(lnode, &node->head, next) { - int i; - long int a,b; - int stop = 0; - int max = UtilCpuGetNumProcessorsOnline() - 1; + uint32_t i; + uint32_t a, b; + uint32_t stop = 0; + uint32_t max = UtilCpuGetNumProcessorsOnline(); + if (max > 0) { + max--; + } if (!strcmp(lnode->val, "all")) { a = 0; b = max; stop = 1; } else if (strchr(lnode->val, '-') != NULL) { char *sep = strchr(lnode->val, '-'); - char *end; - a = strtoul(lnode->val, &end, 10); - if (end != sep) { + if (StringParseUint32(&a, 10, sep - lnode->val, lnode->val) < 0) { SCLogError("%s: invalid cpu range (start invalid): \"%s\"", name, lnode->val); exit(EXIT_FAILURE); } - b = strtol(sep + 1, &end, 10); - if (end != sep + strlen(sep)) { + if (StringParseUint32(&b, 10, strlen(sep) - 1, sep + 1) < 0) { SCLogError("%s: invalid cpu range (end invalid): \"%s\"", name, lnode->val); exit(EXIT_FAILURE); } @@ -126,13 +126,11 @@ void BuildCpusetWithCallback(const char *name, ConfNode *node, exit(EXIT_FAILURE); } if (b > max) { - SCLogError("%s: upper bound (%ld) of cpu set is too high, only %d cpu(s)", name, b, + SCLogError("%s: upper bound (%d) of cpu set is too high, only %d cpu(s)", name, b, max + 1); } } else { - char *end; - a = strtoul(lnode->val, &end, 10); - if (end != lnode->val + strlen(lnode->val)) { + if (StringParseUint32(&a, 10, strlen(lnode->val), lnode->val) < 0) { SCLogError("%s: invalid cpu range (not an integer): \"%s\"", name, lnode->val); exit(EXIT_FAILURE); } diff --git a/src/util-byte.c b/src/util-byte.c index d2f39fb2d211..1b06ccd628ba 100644 --- a/src/util-byte.c +++ b/src/util-byte.c @@ -228,7 +228,7 @@ int ByteExtractString(uint64_t *res, int base, size_t len, const char *str, bool return -1; } - return (endptr - ptr); + return (int)(endptr - ptr); } int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str) @@ -531,7 +531,7 @@ int ByteExtractStringSigned(int64_t *res, int base, size_t len, const char *str, //fprintf(stderr, "ByteExtractStringSigned: Extracted base %d: 0x%" PRIx64 "\n", base, *res); - return (endptr - ptr); + return (int)(endptr - ptr); } int ByteExtractStringInt64(int64_t *res, int base, size_t len, const char *str) diff --git a/src/util-classification-config.c b/src/util-classification-config.c index 07f18c2caaaa..c42c2d1a55dd 100644 --- a/src/util-classification-config.c +++ b/src/util-classification-config.c @@ -448,9 +448,9 @@ uint32_t SCClassConfClasstypeHashFunc(HashTable *ht, void *data, uint16_t datale { SCClassConfClasstype *ct = (SCClassConfClasstype *)data; uint32_t hash = 0; - int i = 0; + size_t i = 0; - int len = strlen(ct->classtype); + size_t len = strlen(ct->classtype); for (i = 0; i < len; i++) hash += u8_tolower((unsigned char)(ct->classtype)[i]); @@ -478,8 +478,8 @@ char SCClassConfClasstypeHashCompareFunc(void *data1, uint16_t datalen1, { SCClassConfClasstype *ct1 = (SCClassConfClasstype *)data1; SCClassConfClasstype *ct2 = (SCClassConfClasstype *)data2; - int len1 = 0; - int len2 = 0; + size_t len1 = 0; + size_t len2 = 0; if (ct1 == NULL || ct2 == NULL) return 0; diff --git a/src/util-debug.c b/src/util-debug.c index f315d1289048..d881c6e87a7a 100644 --- a/src/util-debug.c +++ b/src/util-debug.c @@ -286,25 +286,25 @@ static const char *SCTransformModule(const char *module_name, int *dn_len) * app-layer-* */ if (strncmp("tm-", module_name, 3) == 0) { - *dn_len = strlen(module_name) - 3; + *dn_len = (int)strlen(module_name) - 3; return module_name + 3; } else if (strncmp("util-", module_name, 5) == 0) { - *dn_len = strlen(module_name) - 5; + *dn_len = (int)strlen(module_name) - 5; return module_name + 5; } else if (strncmp("source-pcap-file", module_name, 16) == 0) { - *dn_len = strlen("pcap"); + *dn_len = (int)strlen("pcap"); return "pcap"; } else if (strncmp("source-", module_name, 7) == 0) { - *dn_len = strlen(module_name) - 7; + *dn_len = (int)strlen(module_name) - 7; return module_name + 7; } else if (strncmp("runmode-", module_name, 8) == 0) { - *dn_len = strlen(module_name) - 8; + *dn_len = (int)strlen(module_name) - 8; return module_name + 8; } else if (strncmp("app-layer-", module_name, 10) == 0) { - *dn_len = strlen(module_name); + *dn_len = (int)strlen(module_name); return module_name; } else if (strncmp("detect-engine", module_name, 13) == 0) { - *dn_len = strlen("detect"); + *dn_len = (int)strlen("detect"); return "detect"; } @@ -319,9 +319,9 @@ static const char *SCTransformModule(const char *module_name, int *dn_len) } if (seg_cnt < transform_max_segs) - *dn_len = strlen(module_name); + *dn_len = (int)strlen(module_name); else - *dn_len = last - module_name; + *dn_len = (int)(last - module_name); return module_name; } diff --git a/src/util-fmemopen.c b/src/util-fmemopen.c index 412b9783ef3a..ed1a02197860 100644 --- a/src/util-fmemopen.c +++ b/src/util-fmemopen.c @@ -117,20 +117,20 @@ static fpos_t SeekFn(void *handler, fpos_t offset, int whence) */ static int ReadFn(void *handler, char *buf, int size) { - size_t count = 0; + int count = 0; SCFmem *mem = handler; size_t available = mem->size - mem->pos; int is_eof = 0; if (size < 0) return - 1; - if ((size_t)size > available) { - size = available; + if (available < INT_MAX && size > (int)available) { + size = (int)available; } else { is_eof = 1; } - while (count < (size_t)size) + while (count < size) buf[count++] = mem->buffer[mem->pos++]; if (is_eof == 1) @@ -148,16 +148,16 @@ static int ReadFn(void *handler, char *buf, int size) */ static int WriteFn(void *handler, const char *buf, int size) { - size_t count = 0; + int count = 0; SCFmem *mem = handler; size_t available = mem->size - mem->pos; if (size < 0) return - 1; - if ((size_t)size > available) - size = available; + if (available < INT_MAX && size > (int)available) + size = (int)available; - while (count < (size_t)size) + while (count < size) mem->buffer[mem->pos++] = buf[count++]; return count; diff --git a/src/util-ip.c b/src/util-ip.c index 8792253cc3c9..f57878e0dd86 100644 --- a/src/util-ip.c +++ b/src/util-ip.c @@ -40,8 +40,8 @@ bool IPv4AddressStringIsValid(const char *str) memset(&addr, 0, sizeof(addr)); - uint32_t len = strlen(str); - uint32_t i = 0; + size_t len = strlen(str); + size_t i = 0; for (i = 0; i < len; i++) { if (!(str[i] == '.' || isdigit(str[i]))) { return false; @@ -85,8 +85,8 @@ bool IPv6AddressStringIsValid(const char *str) int sep = 0; bool colon_seen = false; - uint32_t len = strlen(str); - uint32_t i = 0; + size_t len = strlen(str); + size_t i = 0; for (i = 0; i < len && str[i] != 0; i++) { if (!(str[i] == '.' || str[i] == ':' || isxdigit(str[i]))) diff --git a/src/util-ja3.h b/src/util-ja3.h index f7ecb3079bc2..5211b85d559e 100644 --- a/src/util-ja3.h +++ b/src/util-ja3.h @@ -30,8 +30,8 @@ typedef struct JA3Buffer_ { char *data; - size_t size; - size_t used; + uint32_t size; + uint32_t used; } JA3Buffer; JA3Buffer *Ja3BufferInit(void); diff --git a/src/util-landlock.c b/src/util-landlock.c index 245be5634fd5..fcc46a0d8f38 100644 --- a/src/util-landlock.c +++ b/src/util-landlock.c @@ -28,6 +28,7 @@ #include "util-landlock.h" #include "util-mem.h" #include "util-path.h" +#include "util-validate.h" #ifndef HAVE_LINUX_LANDLOCK_H @@ -43,7 +44,9 @@ void LandlockSandboxing(SCInstance *suri) static inline int landlock_create_ruleset( const struct landlock_ruleset_attr *const attr, const size_t size, const __u32 flags) { - return syscall(__NR_landlock_create_ruleset, attr, size, flags); + long r = syscall(__NR_landlock_create_ruleset, attr, size, flags); + DEBUG_VALIDATE_BUG_ON(r > INT_MAX); + return (int)r; } #endif @@ -51,14 +54,18 @@ static inline int landlock_create_ruleset( static inline int landlock_add_rule(const int ruleset_fd, const enum landlock_rule_type rule_type, const void *const rule_attr, const __u32 flags) { - return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags); + long r = syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags); + DEBUG_VALIDATE_BUG_ON(r > INT_MAX); + return (int)r; } #endif #ifndef landlock_restrict_self static inline int landlock_restrict_self(const int ruleset_fd, const __u32 flags) { - return syscall(__NR_landlock_restrict_self, ruleset_fd, flags); + long r = syscall(__NR_landlock_restrict_self, ruleset_fd, flags); + DEBUG_VALIDATE_BUG_ON(r > INT_MAX); + return (int)r; } #endif diff --git a/src/util-logopenfile.c b/src/util-logopenfile.c index 484481100490..aa6a47b1a00f 100644 --- a/src/util-logopenfile.c +++ b/src/util-logopenfile.c @@ -785,7 +785,7 @@ static bool LogFileThreadedName( * for update */ dot = strrchr(original_name, '.'); - int dotpos = dot - original_name; + ptrdiff_t dotpos = dot - original_name; tname[dotpos] = '\0'; char *ext = tname + dotpos + 1; if (strlen(tname) && strlen(ext)) { diff --git a/src/util-lua-hashlib.c b/src/util-lua-hashlib.c index 9c8bf7dab2b3..f0bdbfb155e2 100644 --- a/src/util-lua-hashlib.c +++ b/src/util-lua-hashlib.c @@ -74,7 +74,7 @@ static int LuaHashLibSha256Update(lua_State *L) } size_t data_len; const char *data = luaL_checklstring(L, 2, &data_len); - SCSha256Update(*hasher, (const uint8_t *)data, data_len); + SCSha256Update(*hasher, (const uint8_t *)data, (uint32_t)data_len); return 0; } @@ -123,7 +123,7 @@ static int LuaHashLibSha256Digest(lua_State *L) size_t buf_len; const char *input = luaL_checklstring(L, 1, &buf_len); - size_t output_len = SC_SHA256_LEN; + uint32_t output_len = SC_SHA256_LEN; uint8_t output[output_len]; if (!SCSha256HashBuffer((uint8_t *)input, (uint32_t)buf_len, output, output_len)) { return luaL_error(L, "sha256 hashing failed"); @@ -178,7 +178,7 @@ static int LuaHashLibSha1Update(lua_State *L) size_t data_len; const char *data = luaL_checklstring(L, 2, &data_len); - SCSha1Update(*hasher, (const uint8_t *)data, data_len); + SCSha1Update(*hasher, (const uint8_t *)data, (uint32_t)data_len); return 0; } @@ -280,7 +280,7 @@ static int LuaHashLibMd5Update(lua_State *L) size_t data_len; const char *data = luaL_checklstring(L, 2, &data_len); - SCMd5Update(*hasher, (const uint8_t *)data, data_len); + SCMd5Update(*hasher, (const uint8_t *)data, (uint32_t)data_len); return 0; } @@ -344,7 +344,7 @@ static int LuaHashLibMd5HexDigest(lua_State *L) const char *input = luaL_checklstring(L, 1, &buf_len); char output[SC_MD5_HEX_LEN + 1]; - if (!SCMd5HashBufferToHex((uint8_t *)input, (size_t)buf_len, output, sizeof(output))) { + if (!SCMd5HashBufferToHex((uint8_t *)input, (uint32_t)buf_len, output, sizeof(output))) { return luaL_error(L, "md5 hashing failed"); } diff --git a/src/util-lua-sandbox.h b/src/util-lua-sandbox.h index b04ab746d230..c7b15ba08b43 100644 --- a/src/util-lua-sandbox.h +++ b/src/util-lua-sandbox.h @@ -47,7 +47,8 @@ typedef struct SCLuaSbState { /* Execution Limits */ uint64_t instruction_count; uint64_t instruction_limit; - uint64_t hook_instruction_count; + // used by lua_sethook + int hook_instruction_count; /* Errors. */ bool blocked_function_error; diff --git a/src/util-proto-name.c b/src/util-proto-name.c index c6d91ae76d7e..0c562885d3ef 100644 --- a/src/util-proto-name.c +++ b/src/util-proto-name.c @@ -361,7 +361,7 @@ static uint32_t ProtoNameHashFunc(HashTable *ht, void *data, uint16_t datalen) * as the proto number is not used for lookups */ ProtoNameHashEntry *p = (ProtoNameHashEntry *)data; - return StringHashDjb2((uint8_t *)p->name, strlen(p->name)) % ht->array_size; + return StringHashDjb2((uint8_t *)p->name, (uint32_t)strlen(p->name)) % ht->array_size; } static char ProtoNameHashCompareFunc(void *data1, uint16_t datalen1, void *data2, uint16_t datalen2) @@ -375,8 +375,8 @@ static char ProtoNameHashCompareFunc(void *data1, uint16_t datalen1, void *data2 if (p1->name == NULL || p2->name == NULL) return 0; - int len1 = strlen(p1->name); - int len2 = strlen(p2->name); + size_t len1 = strlen(p1->name); + size_t len2 = strlen(p2->name); return len1 == len2 && memcmp(p1->name, p2->name, len1) == 0; } diff --git a/src/util-random.c b/src/util-random.c index 0beee3287880..012073d9ca4e 100644 --- a/src/util-random.c +++ b/src/util-random.c @@ -38,7 +38,7 @@ static long int RandomGetClock(void) clock_gettime(CLOCK_REALTIME, &ts); // coverity[dont_call : FALSE] - srandom(ts.tv_nsec ^ ts.tv_sec); + srandom((unsigned int)(ts.tv_nsec ^ ts.tv_sec)); long int value = random(); return value; } @@ -103,7 +103,7 @@ long int RandomGet(void) return 0; long int value = 0; - int ret = getrandom(&value, sizeof(value), 0); + ssize_t ret = getrandom(&value, sizeof(value), 0); /* ret should be sizeof(value), but if it is > 0 and < sizeof(value) * it's still better than nothing so we return what we have */ if (ret <= 0) { diff --git a/src/util-reference-config.c b/src/util-reference-config.c index 1f7dc39573fd..9b2b09337c01 100644 --- a/src/util-reference-config.c +++ b/src/util-reference-config.c @@ -408,9 +408,9 @@ uint32_t SCRConfReferenceHashFunc(HashTable *ht, void *data, uint16_t datalen) { SCRConfReference *ref = (SCRConfReference *)data; uint32_t hash = 0; - int i = 0; + size_t i = 0; - int len = strlen(ref->system); + size_t len = strlen(ref->system); for (i = 0; i < len; i++) hash += u8_tolower((unsigned char)ref->system[i]); @@ -438,8 +438,8 @@ char SCRConfReferenceHashCompareFunc(void *data1, uint16_t datalen1, { SCRConfReference *ref1 = (SCRConfReference *)data1; SCRConfReference *ref2 = (SCRConfReference *)data2; - int len1 = 0; - int len2 = 0; + size_t len1 = 0; + size_t len2 = 0; if (ref1 == NULL || ref2 == NULL) return 0; diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c index 2221941bda00..fb9ffe98fd47 100644 --- a/src/util-streaming-buffer.c +++ b/src/util-streaming-buffer.c @@ -441,7 +441,8 @@ static inline void ConsolidateFwd(StreamingBuffer *sb, const StreamingBufferConf if (sa->offset == region->stream_offset && sa_re > (region->stream_offset + region->buf_offset)) { DEBUG_VALIDATE_BUG_ON(sa_re < region->stream_offset); - region->buf_offset = sa_re - region->stream_offset; + DEBUG_VALIDATE_BUG_ON(sa_re - region->stream_offset > UINT32_MAX); + region->buf_offset = (uint32_t)(sa_re - region->stream_offset); SCLogDebug("-> (fwd) tr %p %" PRIu64 "/%u region %p so %" PRIu64 " bo %u sz %u BUF_OFFSET UPDATED", sa, sa->offset, sa->len, region, region->stream_offset, region->buf_offset, @@ -457,8 +458,10 @@ static inline void ConsolidateFwd(StreamingBuffer *sb, const StreamingBufferConf sa_re >= tr->offset && sa_re < tr_re) // ends inside { // merge. sb->sbb_size includes both so we need to adjust that too. - uint32_t combined_len = sa->len + tr->len; - sa->len = tr_re - sa->offset; + DEBUG_VALIDATE_BUG_ON(sa->len + tr->len > UINT32_MAX); + uint32_t combined_len = (uint32_t)(sa->len + tr->len); + DEBUG_VALIDATE_BUG_ON(tr_re - sa->offset > UINT32_MAX); + sa->len = (uint32_t)(tr_re - sa->offset); sa_re = sa->offset + sa->len; SCLogDebug("-> (fwd) tr %p %" PRIu64 "/%u REMOVED MERGED", tr, tr->offset, tr->len); SBB_RB_REMOVE(tree, tr); @@ -471,7 +474,8 @@ static inline void ConsolidateFwd(StreamingBuffer *sb, const StreamingBufferConf if (sa->offset == region->stream_offset && sa_re > (region->stream_offset + region->buf_offset)) { DEBUG_VALIDATE_BUG_ON(sa_re < region->stream_offset); - region->buf_offset = sa_re - region->stream_offset; + DEBUG_VALIDATE_BUG_ON(sa_re - region->stream_offset > UINT32_MAX); + region->buf_offset = (uint32_t)(sa_re - region->stream_offset); SCLogDebug("-> (fwd) tr %p %" PRIu64 "/%u region %p so %" PRIu64 " bo %u sz %u BUF_OFFSET UPDATED", sa, sa->offset, sa->len, region, region->stream_offset, region->buf_offset, @@ -538,7 +542,8 @@ static inline void ConsolidateBackward(StreamingBuffer *sb, const StreamingBuffe if (sa->offset == region->stream_offset && sa_re > (region->stream_offset + region->buf_offset)) { DEBUG_VALIDATE_BUG_ON(sa_re < region->stream_offset); - region->buf_offset = sa_re - region->stream_offset; + DEBUG_VALIDATE_BUG_ON(sa_re - region->stream_offset > UINT32_MAX); + region->buf_offset = (uint32_t)(sa_re - region->stream_offset); SCLogDebug("-> (bwd) tr %p %" PRIu64 "/%u region %p so %" PRIu64 " bo %u sz %u BUF_OFFSET UPDATED", sa, sa->offset, sa->len, region, region->stream_offset, region->buf_offset, @@ -553,8 +558,10 @@ static inline void ConsolidateBackward(StreamingBuffer *sb, const StreamingBuffe */ } else if (sa->offset > tr->offset && sa_re > tr_re && sa->offset <= tr_re) { // merge. sb->sbb_size includes both so we need to adjust that too. - uint32_t combined_len = sa->len + tr->len; - sa->len = sa_re - tr->offset; + DEBUG_VALIDATE_BUG_ON(sa->len + tr->len > UINT32_MAX); + uint32_t combined_len = (uint32_t)(sa->len + tr->len); + DEBUG_VALIDATE_BUG_ON(sa_re - tr->offset > UINT32_MAX); + sa->len = (uint32_t)(sa_re - tr->offset); sa->offset = tr->offset; sa_re = sa->offset + sa->len; SCLogDebug("-> (bwd) tr %p %" PRIu64 "/%u REMOVED MERGED", tr, tr->offset, tr->len); @@ -570,7 +577,8 @@ static inline void ConsolidateBackward(StreamingBuffer *sb, const StreamingBuffe if (sa->offset == region->stream_offset && sa_re > (region->stream_offset + region->buf_offset)) { DEBUG_VALIDATE_BUG_ON(sa_re < region->stream_offset); - region->buf_offset = sa_re - region->stream_offset; + DEBUG_VALIDATE_BUG_ON(sa_re - region->stream_offset > UINT32_MAX); + region->buf_offset = (uint32_t)(sa_re - region->stream_offset); SCLogDebug("-> (bwd) tr %p %" PRIu64 "/%u region %p so %" PRIu64 " bo %u sz %u BUF_OFFSET UPDATED", sa, sa->offset, sa->len, region, region->stream_offset, region->buf_offset, @@ -656,7 +664,8 @@ static void SBBPrune(StreamingBuffer *sb, const StreamingBufferConfig *cfg) /* partly before, partly beyond. Adjust */ if (sbb->offset < sb->region.stream_offset && sbb->offset + sbb->len > sb->region.stream_offset) { - uint32_t shrink_by = sb->region.stream_offset - sbb->offset; + DEBUG_VALIDATE_BUG_ON(sb->region.stream_offset - sbb->offset > UINT32_MAX); + uint32_t shrink_by = (uint32_t)(sb->region.stream_offset - sbb->offset); DEBUG_VALIDATE_BUG_ON(shrink_by > sbb->len); if (sbb->len >= shrink_by) { sbb->len -= shrink_by; @@ -876,7 +885,8 @@ static inline void StreamingBufferSlideToOffsetWithRegions( if (to_shift) { // Do the shift. If new region is exactly at the slide offset we can skip this. DEBUG_VALIDATE_BUG_ON(to_shift->stream_offset > slide_offset); - const uint32_t s = slide_offset - to_shift->stream_offset; + DEBUG_VALIDATE_BUG_ON(slide_offset - to_shift->stream_offset > UINT32_MAX); + const uint32_t s = (uint32_t)(slide_offset - to_shift->stream_offset); if (s > 0) { const uint32_t new_data_size = to_shift->buf_size - s; uint32_t new_mem_size = ToNextMultipleOf(new_data_size, cfg->buf_size); @@ -891,15 +901,21 @@ static inline void StreamingBufferSlideToOffsetWithRegions( StreamingBufferRegion *start = to_shift; StreamingBufferRegion *next = start->next; const uint64_t next_re = next->stream_offset + next->buf_size; - const uint32_t mem_size = ToNextMultipleOf(next_re - slide_offset, cfg->buf_size); + DEBUG_VALIDATE_BUG_ON(next_re - slide_offset > UINT32_MAX); + const uint32_t mem_size = + ToNextMultipleOf((uint32_t)(next_re - slide_offset), cfg->buf_size); /* using next as the new main */ if (start->buf_size < next->buf_size) { SCLogDebug("replace main with the next bigger region"); - const uint32_t next_data_offset = next->stream_offset - slide_offset; + DEBUG_VALIDATE_BUG_ON(next->stream_offset - slide_offset > UINT32_MAX); + const uint32_t next_data_offset = + (uint32_t)(next->stream_offset - slide_offset); const uint32_t prev_buf_size = next->buf_size; - const uint32_t start_data_offset = slide_offset - start->stream_offset; + DEBUG_VALIDATE_BUG_ON(slide_offset - start->stream_offset > UINT32_MAX); + const uint32_t start_data_offset = + (uint32_t)(slide_offset - start->stream_offset); DEBUG_VALIDATE_BUG_ON(start_data_offset > start->buf_size); if (start_data_offset > start->buf_size) { new_mem_size = new_data_size; @@ -1033,7 +1049,8 @@ void StreamingBufferSlideToOffset( } if (offset > sb->region.stream_offset) { - const uint32_t slide = offset - sb->region.stream_offset; + DEBUG_VALIDATE_BUG_ON(offset - sb->region.stream_offset > UINT32_MAX); + const uint32_t slide = (uint32_t)(offset - sb->region.stream_offset); if (sb->head != NULL) { /* have sbb's, so can't rely on buf_offset for the slide */ if (slide < sb->region.buf_size) { @@ -1273,7 +1290,8 @@ static StreamingBufferRegion *BufferInsertAtRegionConsolidate(StreamingBuffer *s // 2. resize dst const uint32_t old_size = dst->buf_size; - const uint32_t dst_copy_offset = dst->stream_offset - dst_offset; + DEBUG_VALIDATE_BUG_ON(dst->stream_offset - dst_offset > UINT32_MAX); + const uint32_t dst_copy_offset = (uint32_t)(dst->stream_offset - dst_offset); #ifdef DEBUG const uint32_t old_offset = dst->buf_offset; SCLogDebug("old_size %u, old_offset %u, dst_copy_offset %u", old_size, old_offset, @@ -1330,7 +1348,8 @@ static StreamingBufferRegion *BufferInsertAtRegionConsolidate(StreamingBuffer *s r = r->next; continue; } - const uint32_t target_offset = r->stream_offset - dst_offset; + DEBUG_VALIDATE_BUG_ON(r->stream_offset - dst_offset > UINT32_MAX); + const uint32_t target_offset = (uint32_t)(r->stream_offset - dst_offset); SCLogDebug("r %p: target_offset %u", r, target_offset); DEBUG_VALIDATE_BUG_ON(target_offset > dst->buf_size); DEBUG_VALIDATE_BUG_ON(target_offset + r->buf_size > dst->buf_size); @@ -1409,8 +1428,9 @@ static StreamingBufferRegion *BufferInsertAtRegionDo(StreamingBuffer *sb, } insert_adjusted_re = MAX(insert_adjusted_re, (end->stream_offset + end->buf_size)); - uint32_t new_buf_size = - ToNextMultipleOf(insert_adjusted_re - insert_start_offset, cfg->buf_size); + DEBUG_VALIDATE_BUG_ON(insert_adjusted_re - insert_start_offset > UINT32_MAX); + uint32_t new_buf_size = ToNextMultipleOf( + (uint32_t)(insert_adjusted_re - insert_start_offset), cfg->buf_size); SCLogDebug("new_buf_size %u", new_buf_size); /* see if our new buf size + cfg->buf_size margin leads to an overlap with the next region. @@ -1419,8 +1439,9 @@ static StreamingBufferRegion *BufferInsertAtRegionDo(StreamingBuffer *sb, SCLogDebug("adjusted end from %p to %p", end, end->next); end = end->next; insert_adjusted_re = MAX(insert_adjusted_re, (end->stream_offset + end->buf_size)); - new_buf_size = - ToNextMultipleOf(insert_adjusted_re - insert_start_offset, cfg->buf_size); + DEBUG_VALIDATE_BUG_ON(insert_adjusted_re - insert_start_offset > UINT32_MAX); + new_buf_size = ToNextMultipleOf( + (uint32_t)(insert_adjusted_re - insert_start_offset), cfg->buf_size); SCLogDebug("new_buf_size %u", new_buf_size); } @@ -1531,7 +1552,8 @@ int StreamingBufferInsertAt(StreamingBuffer *sb, const StreamingBufferConfig *cf SCLogDebug("inserting %" PRIu64 "/%u using %s region %p", offset, data_len, region == &sb->region ? "main" : "aux", region); - uint32_t rel_offset = offset - region->stream_offset; + DEBUG_VALIDATE_BUG_ON(offset - region->stream_offset > UINT32_MAX); + uint32_t rel_offset = (uint32_t)(offset - region->stream_offset); int r = DataFitsAtOffset(region, data_len, rel_offset); if (r < 0) { DEBUG_VALIDATE_BUG_ON(1); @@ -1684,7 +1706,7 @@ void StreamingBufferSBBGetData(const StreamingBuffer *sb, return; } else { SCLogDebug("2"); - uint64_t offset = region->stream_offset - sbb->offset; + uint32_t offset = (uint32_t)(region->stream_offset - sbb->offset); if (offset < sbb->len) { *data = region->buf; *data_len = sbb->len - offset; @@ -1713,19 +1735,21 @@ void StreamingBufferSBBGetDataAtOffset(const StreamingBuffer *sb, const StreamingBufferRegion *region = GetRegionForOffset(sb, offset); if (region) { - uint32_t sbblen = sbb->len - (offset - sbb->offset); + DEBUG_VALIDATE_BUG_ON(sbb->len - (offset - sbb->offset) > UINT32_MAX); + uint32_t sbblen = (uint32_t)(sbb->len - (offset - sbb->offset)); if (offset >= region->stream_offset) { - uint64_t data_offset = offset - region->stream_offset; + uint32_t data_offset = (uint32_t)(offset - region->stream_offset); *data = region->buf + data_offset; - if (data_offset + sbblen > region->buf_size) + if (data_offset + sbblen > region->buf_size) { *data_len = region->buf_size - data_offset; - else + } else { *data_len = sbblen; + } DEBUG_VALIDATE_BUG_ON(*data_len > sbblen); return; } else { - uint64_t data_offset = region->stream_offset - sbb->offset; + uint32_t data_offset = (uint32_t)(region->stream_offset - sbb->offset); if (data_offset < sbblen) { *data = region->buf; *data_len = sbblen - data_offset; @@ -1746,16 +1770,17 @@ void StreamingBufferSegmentGetData(const StreamingBuffer *sb, const StreamingBufferRegion *region = GetRegionForOffset(sb, seg->stream_offset); if (region) { if (seg->stream_offset >= region->stream_offset) { - uint64_t offset = seg->stream_offset - region->stream_offset; + uint32_t offset = (uint32_t)(seg->stream_offset - region->stream_offset); *data = region->buf + offset; - if (offset + seg->segment_len > region->buf_size) + if (offset + seg->segment_len > region->buf_size) { *data_len = region->buf_size - offset; - else + } else { *data_len = seg->segment_len; + } SCLogDebug("*data_len %u", *data_len); return; } else { - uint64_t offset = region->stream_offset - seg->stream_offset; + uint32_t offset = (uint32_t)(region->stream_offset - seg->stream_offset); if (offset < seg->segment_len) { *data = region->buf; *data_len = seg->segment_len - offset; @@ -1812,7 +1837,8 @@ int StreamingBufferGetDataAtOffset (const StreamingBuffer *sb, const StreamingBufferRegion *region = GetRegionForOffset(sb, offset); if (region != NULL && region->buf != NULL && offset >= region->stream_offset && offset < (region->stream_offset + region->buf_offset)) { - uint32_t skip = offset - region->stream_offset; + DEBUG_VALIDATE_BUG_ON(offset - region->stream_offset > UINT32_MAX); + uint32_t skip = (uint32_t)(offset - region->stream_offset); *data = region->buf + skip; *data_len = region->buf_offset - skip; return 1; diff --git a/src/util-thash.c b/src/util-thash.c index 4c18c402a4ce..d840ae26d24b 100644 --- a/src/util-thash.c +++ b/src/util-thash.c @@ -302,7 +302,7 @@ static int THashInitConfig(THashTableContext *ctx, const char *cnf_prefix) return 0; } -THashTableContext *THashInit(const char *cnf_prefix, size_t data_size, +THashTableContext *THashInit(const char *cnf_prefix, uint32_t data_size, int (*DataSet)(void *, void *), void (*DataFree)(void *), uint32_t (*DataHash)(uint32_t, void *), bool (*DataCompare)(void *, void *), bool (*DataExpired)(void *, SCTime_t), uint32_t (*DataSize)(void *), bool reset_memcap, diff --git a/src/util-thash.h b/src/util-thash.h index 5d4a61f10b12..3a7aac204729 100644 --- a/src/util-thash.h +++ b/src/util-thash.h @@ -170,7 +170,7 @@ typedef struct THashTableContext_ { #define THashDecrUsecnt(h) \ (void)SC_ATOMIC_SUB((h)->use_cnt, 1) -THashTableContext *THashInit(const char *cnf_prefix, size_t data_size, +THashTableContext *THashInit(const char *cnf_prefix, uint32_t data_size, int (*DataSet)(void *dst, void *src), void (*DataFree)(void *), uint32_t (*DataHash)(uint32_t, void *), bool (*DataCompare)(void *, void *), bool (*DataExpired)(void *, SCTime_t), uint32_t (*DataSize)(void *), bool reset_memcap, diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c index 6df1eebb0798..6bedfcd94c91 100644 --- a/src/util-threshold-config.c +++ b/src/util-threshold-config.c @@ -957,12 +957,12 @@ static int SCThresholdConfLineIsMultiline(char *line) { int flag = 0; char *rline = line; - int len = strlen(line); + size_t len = strlen(line); while (line < rline + len && *line != '\n') { /* we have a comment */ if (*line == '\\') - flag = line - rline; + flag = (int)(line - rline); else if (!isspace((unsigned char)*line)) flag = 0; diff --git a/src/util-time.c b/src/util-time.c index 9900f1b94bd3..67b3fd49444f 100644 --- a/src/util-time.c +++ b/src/util-time.c @@ -549,7 +549,7 @@ int SCTimeToStringPattern (time_t epoch, const char *pattern, char *str, size_t return 1; } - int r = strftime(buffer, sizeof(buffer), pattern, tp); + size_t r = strftime(buffer, sizeof(buffer), pattern, tp); if (r == 0) { return 1; } diff --git a/src/util-var-name.c b/src/util-var-name.c index 6bcb0331a2e3..a93109442bd1 100644 --- a/src/util-var-name.c +++ b/src/util-var-name.c @@ -329,7 +329,8 @@ uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type) static uint32_t VariableNameHash(HashListTable *ht, void *buf, uint16_t buflen) { VariableName *vn = (VariableName *)buf; - uint32_t hash = StringHashDjb2((const uint8_t *)vn->name, strlen(vn->name)) + vn->type; + uint32_t hash = + StringHashDjb2((const uint8_t *)vn->name, (uint32_t)strlen(vn->name)) + vn->type; return (hash % VARNAME_HASHSIZE); } From 7b350e993398cd5eb38a0b6301fc24d0c9b21ad5 Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Sun, 9 Feb 2025 00:50:25 -0400 Subject: [PATCH 02/11] misc: fix name prefix in detect register functions --- rust/src/applayertemplate/detect.rs | 2 +- rust/src/enip/detect.rs | 2 +- rust/src/ldap/detect.rs | 2 +- rust/src/mqtt/detect.rs | 2 +- rust/src/rfb/detect.rs | 2 +- rust/src/sip/detect.rs | 2 +- rust/src/snmp/detect.rs | 2 +- rust/src/websocket/detect.rs | 2 +- scripts/setup-app-layer.py | 4 ++-- src/detect-engine-register.c | 16 ++++++++-------- 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/rust/src/applayertemplate/detect.rs b/rust/src/applayertemplate/detect.rs index 9eaf880ed785..47f7f040fb83 100644 --- a/rust/src/applayertemplate/detect.rs +++ b/rust/src/applayertemplate/detect.rs @@ -76,7 +76,7 @@ unsafe extern "C" fn template_buffer_get( } #[no_mangle] -pub unsafe extern "C" fn ScDetectTemplateRegister() { +pub unsafe extern "C" fn SCDetectTemplateRegister() { /* TEMPLATE_START_REMOVE */ if conf_get_node("app-layer.protocols.template").is_none() { return; diff --git a/rust/src/enip/detect.rs b/rust/src/enip/detect.rs index c652aa01ca24..0e95fdb36780 100644 --- a/rust/src/enip/detect.rs +++ b/rust/src/enip/detect.rs @@ -1330,7 +1330,7 @@ unsafe extern "C" fn service_name_get_data( ); } #[no_mangle] -pub unsafe extern "C" fn ScDetectEnipRegister() { +pub unsafe extern "C" fn SCDetectEnipRegister() { let kw = SCSigTableElmt { name: b"cip_service\0".as_ptr() as *const libc::c_char, desc: b"match on CIP Service, and optionnally class and attribute\0".as_ptr() diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs index 3745630bfe59..fbd0c56f5ae2 100644 --- a/rust/src/ldap/detect.rs +++ b/rust/src/ldap/detect.rs @@ -264,7 +264,7 @@ unsafe extern "C" fn ldap_detect_responses_count_free(_de: *mut c_void, ctx: *mu } #[no_mangle] -pub unsafe extern "C" fn ScDetectLdapRegister() { +pub unsafe extern "C" fn SCDetectLdapRegister() { let kw = SCSigTableElmt { name: b"ldap.request.operation\0".as_ptr() as *const libc::c_char, desc: b"match LDAP request operation\0".as_ptr() as *const libc::c_char, diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs index 13ad30285fe9..bbaa3a2c1dd7 100644 --- a/rust/src/mqtt/detect.rs +++ b/rust/src/mqtt/detect.rs @@ -1099,7 +1099,7 @@ unsafe extern "C" fn mqtt_conn_clientid_get_data( } #[no_mangle] -pub unsafe extern "C" fn ScDetectMqttRegister() { +pub unsafe extern "C" fn SCDetectMqttRegister() { let keyword_name = b"mqtt.unsubscribe.topic\0".as_ptr() as *const libc::c_char; let kw = SCSigTableElmt { name: keyword_name, diff --git a/rust/src/rfb/detect.rs b/rust/src/rfb/detect.rs index 81919330cc29..9f724d7cd305 100644 --- a/rust/src/rfb/detect.rs +++ b/rust/src/rfb/detect.rs @@ -187,7 +187,7 @@ unsafe extern "C" fn rfb_sec_result_free(_de: *mut c_void, ctx: *mut c_void) { } #[no_mangle] -pub unsafe extern "C" fn ScDetectRfbRegister() { +pub unsafe extern "C" fn SCDetectRfbRegister() { let kw = SCSigTableElmt { name: b"rfb.name\0".as_ptr() as *const libc::c_char, desc: b"sticky buffer to match on the RFB desktop name\0".as_ptr() as *const libc::c_char, diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index ff2ec3e06e13..c8f3b92f10ba 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -578,7 +578,7 @@ unsafe extern "C" fn sip_content_length_hdr_get_data( return false; } #[no_mangle] -pub unsafe extern "C" fn ScDetectSipRegister() { +pub unsafe extern "C" fn SCDetectSipRegister() { let kw = SCSigTableElmt { name: b"sip.protocol\0".as_ptr() as *const libc::c_char, desc: b"sticky buffer to match on the SIP protocol\0".as_ptr() as *const libc::c_char, diff --git a/rust/src/snmp/detect.rs b/rust/src/snmp/detect.rs index 2f9851bbdff7..0c07538c7fe2 100644 --- a/rust/src/snmp/detect.rs +++ b/rust/src/snmp/detect.rs @@ -183,7 +183,7 @@ pub unsafe extern "C" fn snmp_detect_community_get_data( ); } #[no_mangle] -pub unsafe extern "C" fn ScDetectSNMPRegister() { +pub unsafe extern "C" fn SCDetectSNMPRegister() { let kw = SCSigTableElmt { name: b"snmp.version\0".as_ptr() as *const libc::c_char, desc: b"match SNMP version\0".as_ptr() as *const libc::c_char, diff --git a/rust/src/websocket/detect.rs b/rust/src/websocket/detect.rs index f7f3cc9d46de..2d4614ae5ac0 100644 --- a/rust/src/websocket/detect.rs +++ b/rust/src/websocket/detect.rs @@ -277,7 +277,7 @@ pub unsafe extern "C" fn websocket_detect_payload_get_data( } #[no_mangle] -pub unsafe extern "C" fn ScDetectWebsocketRegister() { +pub unsafe extern "C" fn SCDetectWebsocketRegister() { let kw = SCSigTableElmt { name: b"websocket.opcode\0".as_ptr() as *const libc::c_char, desc: b"match WebSocket opcode\0".as_ptr() as *const libc::c_char, diff --git a/scripts/setup-app-layer.py b/scripts/setup-app-layer.py index f94e68ae7d7e..ca2ecc5b16ac 100755 --- a/scripts/setup-app-layer.py +++ b/scripts/setup-app-layer.py @@ -255,10 +255,10 @@ def detect_patch_detect_engine_register_c(protoname): output = io.StringIO() with open(filename) as infile: for line in infile: - if line.find("ScDetect%sRegister" % protoname) > -1: + if line.find("SCDetect%sRegister" % protoname) > -1: # patch already applied return - if line.find("ScDetectTemplateRegister") > -1: + if line.find("SCDetectTemplateRegister") > -1: new = line.replace("Template", "%s" % protoname) output.write(new) output.write(line) diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 658c17150aec..88b77ec3ce3f 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -734,15 +734,15 @@ void SigTableSetup(void) DetectVlanLayersRegister(); SCDetectSMTPRegister(); - ScDetectSNMPRegister(); + SCDetectSNMPRegister(); SCDetectDHCPRegister(); - ScDetectWebsocketRegister(); - ScDetectEnipRegister(); - ScDetectMqttRegister(); - ScDetectRfbRegister(); - ScDetectSipRegister(); - ScDetectTemplateRegister(); - ScDetectLdapRegister(); + SCDetectWebsocketRegister(); + SCDetectEnipRegister(); + SCDetectMqttRegister(); + SCDetectRfbRegister(); + SCDetectSipRegister(); + SCDetectTemplateRegister(); + SCDetectLdapRegister(); for (size_t i = 0; i < preregistered_callbacks_nb; i++) { PreregisteredCallbacks[i](); From 31ee18b5bebee36b5d12f46077ce6bd1405d1c44 Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Tue, 18 Feb 2025 19:56:43 -0400 Subject: [PATCH 03/11] doc: replace 'eve' with 'EVE' in the LDAP keywords documentation --- doc/userguide/rules/ldap-keywords.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst index d3ea306c0811..60c01af726b2 100644 --- a/doc/userguide/rules/ldap-keywords.rst +++ b/doc/userguide/rules/ldap-keywords.rst @@ -52,7 +52,7 @@ Syntax:: ldap.request.operation uses :ref:`unsigned 8-bit integer `. -This keyword maps to the eve field ``ldap.request.operation`` +This keyword maps to the EVE field ``ldap.request.operation`` Examples ^^^^^^^^ @@ -79,7 +79,7 @@ Syntax:: ldap.responses.operation uses :ref:`unsigned 8-bit integer `. -This keyword maps to the eve field ``ldap.responses[].operation`` +This keyword maps to the EVE field ``ldap.responses[].operation`` An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation keyword matches all indices, but it is possible to specify a particular index for matching @@ -147,7 +147,7 @@ It can be matched exactly, or compared using the ``op`` setting:: ldap.responses.count uses :ref:`unsigned 32-bit integer `. -This keyword maps to the eve field ``len(ldap.responses[])`` +This keyword maps to the EVE field ``len(ldap.responses[])`` Examples ^^^^^^^^ From 8f807fcfcf0889c4ab8d657b06066d59f79e2695 Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Tue, 18 Feb 2025 20:00:36 -0400 Subject: [PATCH 04/11] doc: use the ldap protocol in rule examples in the LDAP keywords documentation --- doc/userguide/rules/ldap-keywords.rst | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst index 60c01af726b2..b839f4f7a0bc 100644 --- a/doc/userguide/rules/ldap-keywords.rst +++ b/doc/userguide/rules/ldap-keywords.rst @@ -61,11 +61,11 @@ Example of a signatures that would alert if the packet has an LDAP bind request .. container:: example-rule - alert tcp any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:0;` sid:1;) + alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:0;` sid:1;) .. container:: example-rule - alert tcp any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:bind_request;` sid:1;) + alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:bind_request;` sid:1;) ldap.responses.operation ------------------------ @@ -104,23 +104,23 @@ Example of a signatures that would alert if the packet has an LDAP bind response .. container:: example-rule - alert tcp any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:1;` sid:1;) + alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:1;` sid:1;) .. container:: example-rule - alert tcp any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:bind_response;` sid:1;) + alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:bind_response;` sid:1;) Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1: .. container:: example-rule - alert tcp any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_done,1;` sid:1;) + alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_done,1;` sid:1;) Example of a signature that would alert if all the responses are of type search_result_entry: .. container:: example-rule - alert tcp any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,all;` sid:1;) + alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,all;` sid:1;) The keyword ldap.responses.operation supports back to front indexing with negative numbers, this means that -1 will represent the last index, -2 the second to last index, and so on. @@ -128,7 +128,7 @@ This is an example of a signature that would alert if a search_result_entry resp .. container:: example-rule - alert tcp any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,-1;` sid:1;) + alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,-1;` sid:1;) ldap.responses.count -------------------- @@ -156,10 +156,10 @@ Example of a signature that would alert if a packet has 0 LDAP responses: .. container:: example-rule - alert ip any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:0;` sid:1;) + alert ldap any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:0;` sid:1;) Example of a signature that would alert if a packet has more than 2 LDAP responses: .. container:: example-rule - alert ip any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;) + alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;) From 16dcee46fc8a9f15f07535ff60658492c5c04baa Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Mon, 3 Feb 2025 22:37:15 -0400 Subject: [PATCH 05/11] detect: add ldap.request.dn ldap.request.dn matches on LDAPDN from request operations This keyword maps the following eve fields: ldap.request.bind_request.name ldap.request.add_request.entry ldap.request.search_request.base_object ldap.request.modify_request.object ldap.request.del_request.dn ldap.request.mod_dn_request.entry ldap.request.compare_request.entry It is a sticky buffer Supports prefiltering Ticket: #7471 --- doc/userguide/rules/ldap-keywords.rst | 42 ++++++++++++++ rust/src/ldap/detect.rs | 79 ++++++++++++++++++++++++++- 2 files changed, 118 insertions(+), 3 deletions(-) diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst index b839f4f7a0bc..47e240a19166 100644 --- a/doc/userguide/rules/ldap-keywords.rst +++ b/doc/userguide/rules/ldap-keywords.rst @@ -163,3 +163,45 @@ Example of a signature that would alert if a packet has more than 2 LDAP respons .. container:: example-rule alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;) + +ldap.request.dn +--------------- + +Matches on LDAP distinguished names from request operations. + +Comparison is case-sensitive. + +Syntax:: + + ldap.request.dn; content:dc=example,dc=com; + +``ldap.request.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``. + +This keyword maps to the EVE fields: +``ldap.request.bind_request.name`` +``ldap.request.add_request.entry`` +``ldap.request.search_request.base_object`` +``ldap.request.modify_request.object`` +``ldap.request.del_request.dn`` +``ldap.request.mod_dn_request.entry`` +``ldap.request.compare_request.entry`` + +Example +^^^^^^^ + +Example of a signature that would alert if a packet has the LDAP distinguished name ``uid=jdoe,ou=People,dc=example,dc=com``: + +.. container:: example-rule + + alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.request.dn; content:"uid=jdoe,ou=People,dc=example,dc=com";` sid:1;) + +It is possible to use the keyword ``ldap.request.operation`` in the same rule to +specify the operation to match. + +Here is an example of a signature that would alert if a packet has an LDAP +search request operation and contains the LDAP distinguished name +``dc=example,dc=com``. + +.. container:: example-rule + + alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.request.operation:search_request; ldap.request.dn; content:"dc=example,dc=com";` sid:1;) diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs index fbd0c56f5ae2..6088575112ef 100644 --- a/rust/src/ldap/detect.rs +++ b/rust/src/ldap/detect.rs @@ -21,10 +21,11 @@ use crate::detect::uint::{ rs_detect_u8_free, rs_detect_u8_match, DetectUintData, }; use crate::detect::{ - DetectHelperBufferRegister, DetectHelperKeywordRegister, DetectSignatureSetAppProto, - SCSigTableElmt, SigMatchAppendSMToList, + DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister, + DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt, + SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT, }; -use crate::ldap::types::{LdapMessage, ProtocolOpCode}; +use crate::ldap::types::{LdapMessage, ProtocolOp, ProtocolOpCode}; use std::ffi::CStr; use std::os::raw::{c_int, c_void}; @@ -53,6 +54,7 @@ static mut G_LDAP_RESPONSES_OPERATION_KW_ID: c_int = 0; static mut G_LDAP_RESPONSES_OPERATION_BUFFER_ID: c_int = 0; static mut G_LDAP_RESPONSES_COUNT_KW_ID: c_int = 0; static mut G_LDAP_RESPONSES_COUNT_BUFFER_ID: c_int = 0; +static mut G_LDAP_REQUEST_DN_BUFFER_ID: c_int = 0; unsafe extern "C" fn ldap_parse_protocol_req_op( ustr: *const std::os::raw::c_char, @@ -263,6 +265,59 @@ unsafe extern "C" fn ldap_detect_responses_count_free(_de: *mut c_void, ctx: *mu rs_detect_u32_free(ctx); } +unsafe extern "C" fn ldap_detect_request_dn_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_LDAP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_LDAP_REQUEST_DN_BUFFER_ID) < 0 { + return -1; + } + return 0; +} + +unsafe extern "C" fn ldap_detect_request_dn_get_data( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + ldap_tx_get_request_dn, + ); +} + +unsafe extern "C" fn ldap_tx_get_request_dn( + tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, LdapTransaction); + + *buffer = std::ptr::null(); + *buffer_len = 0; + + if let Some(request) = &tx.request { + let str_buffer: &str = match &request.protocol_op { + ProtocolOp::BindRequest(req) => req.name.0.as_str(), + ProtocolOp::AddRequest(req) => req.entry.0.as_str(), + ProtocolOp::SearchRequest(req) => req.base_object.0.as_str(), + ProtocolOp::ModifyRequest(req) => req.object.0.as_str(), + ProtocolOp::DelRequest(req) => req.0.as_str(), + ProtocolOp::ModDnRequest(req) => req.entry.0.as_str(), + ProtocolOp::CompareRequest(req) => req.entry.0.as_str(), + _ => return false, + }; + *buffer = str_buffer.as_ptr(); + *buffer_len = str_buffer.len() as u32; + return true; + } + return false; +} + #[no_mangle] pub unsafe extern "C" fn SCDetectLdapRegister() { let kw = SCSigTableElmt { @@ -314,4 +369,22 @@ pub unsafe extern "C" fn SCDetectLdapRegister() { true, //to client false, //to server ); + let kw = SCSigTableElmt { + name: b"ldap.request.dn\0".as_ptr() as *const libc::c_char, + desc: b"match request LDAPDN\0".as_ptr() as *const libc::c_char, + url: b"/rules/ldap-keywords.html#ldap.request.dn\0".as_ptr() as *const libc::c_char, + Setup: ldap_detect_request_dn_setup, + flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER, + AppLayerTxMatch: None, + Free: None, + }; + let _g_ldap_request_dn_kw_id = DetectHelperKeywordRegister(&kw); + G_LDAP_REQUEST_DN_BUFFER_ID = DetectHelperBufferMpmRegister( + b"ldap.request.dn\0".as_ptr() as *const libc::c_char, + b"LDAP REQUEST DISTINGUISHED_NAME\0".as_ptr() as *const libc::c_char, + ALPROTO_LDAP, + false, //to client + true, //to server + ldap_detect_request_dn_get_data, + ); } From 73ae6e997f6c325b9ef2df8f715f921be441b5b0 Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Thu, 6 Feb 2025 00:16:20 -0400 Subject: [PATCH 06/11] detect: add ldap.responses.dn ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: #7471 --- doc/userguide/rules/ldap-keywords.rst | 46 +++++++++++++++ rust/src/ldap/detect.rs | 81 ++++++++++++++++++++++++++- 2 files changed, 126 insertions(+), 1 deletion(-) diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst index 47e240a19166..b37d099bf203 100644 --- a/doc/userguide/rules/ldap-keywords.rst +++ b/doc/userguide/rules/ldap-keywords.rst @@ -205,3 +205,49 @@ search request operation and contains the LDAP distinguished name .. container:: example-rule alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.request.operation:search_request; ldap.request.dn; content:"dc=example,dc=com";` sid:1;) + +ldap.responses.dn +----------------- + +Matches on LDAP distinguished names from response operations. + +Comparison is case-sensitive. + +Syntax:: + + ldap.responses.dn; content:dc=example,dc=com; + +``ldap.responses.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``. + +``ldap.responses.dn`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. + +This keyword maps to the EVE fields: +``ldap.responses[].search_result_entry.base_object`` +``ldap.responses[].bind_response.matched_dn`` +``ldap.responses[].search_result_done.matched_dn`` +``ldap.responses[].modify_response.matched_dn`` +``ldap.responses[].add_response.matched_dn`` +``ldap.responses[].del_response.matched_dn`` +``ldap.responses[].mod_dn_response.matched_dn`` +``ldap.responses[].compare_response.matched_dn`` +``ldap.responses[].extended_response.matched_dn`` + +Example +^^^^^^^ + +Example of a signature that would alert if a packet has the LDAP distinguished name ``dc=example,dc=com``: + +.. container:: example-rule + + alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.responses.dn; content:"dc=example,dc=com";` sid:1;) + +It is possible to use the keyword ``ldap.responses.operation`` in the same rule to +specify the operation to match. + +Here is an example of a signature that would alert if a packet has an LDAP +search result entry operation at index 1 on the responses array, +and contains the LDAP distinguished name ``dc=example,dc=com``. + +.. container:: example-rule + + alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,1; ldap.responses.dn; content:"dc=example,dc=com";` sid:1;) diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs index 6088575112ef..c982be5148e7 100644 --- a/rust/src/ldap/detect.rs +++ b/rust/src/ldap/detect.rs @@ -22,7 +22,8 @@ use crate::detect::uint::{ }; use crate::detect::{ DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister, - DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt, + DetectHelperGetData, DetectHelperGetMultiData, DetectHelperKeywordRegister, + DetectHelperMultiBufferMpmRegister, DetectSignatureSetAppProto, SCSigTableElmt, SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT, }; use crate::ldap::types::{LdapMessage, ProtocolOp, ProtocolOpCode}; @@ -55,6 +56,7 @@ static mut G_LDAP_RESPONSES_OPERATION_BUFFER_ID: c_int = 0; static mut G_LDAP_RESPONSES_COUNT_KW_ID: c_int = 0; static mut G_LDAP_RESPONSES_COUNT_BUFFER_ID: c_int = 0; static mut G_LDAP_REQUEST_DN_BUFFER_ID: c_int = 0; +static mut G_LDAP_RESPONSES_DN_BUFFER_ID: c_int = 0; unsafe extern "C" fn ldap_parse_protocol_req_op( ustr: *const std::os::raw::c_char, @@ -318,6 +320,65 @@ unsafe extern "C" fn ldap_tx_get_request_dn( return false; } +unsafe extern "C" fn ldap_detect_responses_dn_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_LDAP) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_LDAP_RESPONSES_DN_BUFFER_ID) < 0 { + return -1; + } + return 0; +} + +unsafe extern "C" fn ldap_detect_responses_dn_get_data( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, local_id: u32, +) -> *mut c_void { + return DetectHelperGetMultiData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + local_id, + ldap_tx_get_responses_dn, + ); +} + +unsafe extern "C" fn ldap_tx_get_responses_dn( + tx: *const c_void, _flags: u8, local_id: u32, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, LdapTransaction); + + if local_id as usize >= tx.responses.len() { + return false; + } + *buffer = std::ptr::null(); + *buffer_len = 0; + + let response = &tx.responses[local_id as usize]; + // We expect every response in one tx to be the same protocol_op + let str_buffer: &str = match &response.protocol_op { + ProtocolOp::SearchResultEntry(req) => req.object_name.0.as_str(), + ProtocolOp::BindResponse(req) => req.result.matched_dn.0.as_str(), + ProtocolOp::SearchResultDone(req) => req.matched_dn.0.as_str(), + ProtocolOp::ModifyResponse(req) => req.result.matched_dn.0.as_str(), + ProtocolOp::AddResponse(req) => req.matched_dn.0.as_str(), + ProtocolOp::DelResponse(req) => req.matched_dn.0.as_str(), + ProtocolOp::ModDnResponse(req) => req.matched_dn.0.as_str(), + ProtocolOp::CompareResponse(req) => req.matched_dn.0.as_str(), + ProtocolOp::ExtendedResponse(req) => req.result.matched_dn.0.as_str(), + _ => return false, + }; + + *buffer = str_buffer.as_ptr(); + *buffer_len = str_buffer.len() as u32; + return true; +} + #[no_mangle] pub unsafe extern "C" fn SCDetectLdapRegister() { let kw = SCSigTableElmt { @@ -387,4 +448,22 @@ pub unsafe extern "C" fn SCDetectLdapRegister() { true, //to server ldap_detect_request_dn_get_data, ); + let kw = SCSigTableElmt { + name: b"ldap.responses.dn\0".as_ptr() as *const libc::c_char, + desc: b"match responses LDAPDN\0".as_ptr() as *const libc::c_char, + url: b"/rules/ldap-keywords.html#ldap.responses.dn\0".as_ptr() as *const libc::c_char, + Setup: ldap_detect_responses_dn_setup, + flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER, + AppLayerTxMatch: None, + Free: None, + }; + let _g_ldap_responses_dn_kw_id = DetectHelperKeywordRegister(&kw); + G_LDAP_RESPONSES_DN_BUFFER_ID = DetectHelperMultiBufferMpmRegister( + b"ldap.responses.dn\0".as_ptr() as *const libc::c_char, + b"LDAP RESPONSES DISTINGUISHED_NAME\0".as_ptr() as *const libc::c_char, + ALPROTO_LDAP, + true, //to client + false, //to server + ldap_detect_responses_dn_get_data, + ); } From 4cdb87953859d03f6108826bb168c00b88d135f8 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 19 Feb 2025 15:31:31 -0600 Subject: [PATCH 07/11] rust/bindgen: use temp file to generating bindings Prefixing a file with sed doesn't appear to be portable. Instead, make use of a temporary file. Fixes generating the bindings on FreeBSD and Mac. --- rust/Makefile.am | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rust/Makefile.am b/rust/Makefile.am index a751bb85a3aa..a258003a8af9 100644 --- a/rust/Makefile.am +++ b/rust/Makefile.am @@ -108,7 +108,7 @@ vendor: update-bindings: if HAVE_BINDGEN $(BINDGEN) \ - -o sys/src/sys.rs \ + -o sys/src/sys.rs.tmp \ --rust-target 1.68 \ --no-layout-tests \ --disable-header-comment \ @@ -120,7 +120,9 @@ if HAVE_BINDGEN $(abs_top_srcdir)/src/bindgen.h \ -- \ -DHAVE_CONFIG_H -I../src -I../rust/gen $(CPPFLAGS) - sed -i '1i\// This file is automatically generated. Do not edit.\n' sys/src/sys.rs + printf "// This file is automatically generated. Do not edit.\n\n" > sys/src/sys.rs + cat sys/src/sys.rs.tmp >> sys/src/sys.rs + rm -f sys/src/sys.rs.tmp else @echo "error: bindgen not installed, can't update bindings" exit 1 From a551674eae4f1e46aae79ad96b9586b3d6cc8bdc Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Wed, 19 Feb 2025 13:28:47 +0530 Subject: [PATCH 08/11] dcerpc: add iface to dcerpc request event so as to avoid extra steps for correlation among events to find this information. Feature 7565 --- rust/src/dcerpc/log.rs | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/rust/src/dcerpc/log.rs b/rust/src/dcerpc/log.rs index bbcd00111a4b..5f82c709acdb 100644 --- a/rust/src/dcerpc/log.rs +++ b/rust/src/dcerpc/log.rs @@ -20,6 +20,24 @@ use crate::dcerpc::dcerpc::*; use crate::dcerpc::dcerpc_udp::*; use crate::jsonbuilder::{JsonBuilder, JsonError}; +fn log_bind_interfaces(jsb: &mut JsonBuilder, state: &DCERPCState) -> Result<(), JsonError> { + if let Some(bind) = &state.bind { + jsb.open_array("interfaces")?; + for uuid in &bind.uuid_list { + jsb.start_object()?; + let ifstr = Uuid::from_slice(uuid.uuid.as_slice()); + let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap(); + jsb.set_string("uuid", &ifstr)?; + let vstr = format!("{}.{}", uuid.version, uuid.versionminor); + jsb.set_string("version", &vstr)?; + jsb.set_uint("ack_result", uuid.result as u64)?; + jsb.close()?; + } + jsb.close()?; + } + return Ok(()); +} + fn log_dcerpc_header_tcp( jsb: &mut JsonBuilder, state: &DCERPCState, tx: &DCERPCTransaction, ) -> Result<(), JsonError> { @@ -32,21 +50,9 @@ fn log_dcerpc_header_tcp( jsb.set_uint("frag_cnt", tx.frag_cnt_ts as u64)?; jsb.set_uint("stub_data_size", tx.stub_data_buffer_ts.len() as u64)?; jsb.close()?; + log_bind_interfaces(jsb, state)?; } - DCERPC_TYPE_BIND => if let Some(bind) = &state.bind { - jsb.open_array("interfaces")?; - for uuid in &bind.uuid_list { - jsb.start_object()?; - let ifstr = Uuid::from_slice(uuid.uuid.as_slice()); - let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap(); - jsb.set_string("uuid", &ifstr)?; - let vstr = format!("{}.{}", uuid.version, uuid.versionminor); - jsb.set_string("version", &vstr)?; - jsb.set_uint("ack_result", uuid.result as u64)?; - jsb.close()?; - } - jsb.close()?; - }, + DCERPC_TYPE_BIND => log_bind_interfaces(jsb, state)?, _ => {} } } else { From e45204aecf03eaeb67f33078891f3b589652a062 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 10 Oct 2024 09:31:12 -0400 Subject: [PATCH 09/11] detect/transform: Refactor setup/apply pattern git grep -A 1 -w InspectionBufferSetup shows many cases of the following call patterns: - InspectionBufferSetup - InspectionBufferApplyTransforms Refactor the implementations of those functions into InspectionBufferSetupAndApplyTransforms to reduce function call count. Issue: 2290 (related to changed for this issue) --- src/detect-dce-stub-data.c | 8 ++-- src/detect-dnp3.c | 4 +- src/detect-engine-helper.c | 3 +- src/detect-engine.c | 59 +++++++++++++++++++-------- src/detect-engine.h | 3 ++ src/detect-ftp-command.c | 5 +-- src/detect-http-cookie.c | 14 +++---- src/detect-http-header-names.c | 7 ++-- src/detect-http-header.c | 11 +++-- src/detect-http-headers-stub.h | 14 +++---- src/detect-http-host.c | 14 +++---- src/detect-http-method.c | 7 ++-- src/detect-http-protocol.c | 9 ++-- src/detect-http-raw-header.c | 7 ++-- src/detect-http-request-line.c | 7 ++-- src/detect-http-response-line.c | 7 ++-- src/detect-http-start.c | 4 +- src/detect-http-stat-code.c | 7 ++-- src/detect-http-stat-msg.c | 8 ++-- src/detect-http-ua.c | 7 ++-- src/detect-http-uri.c | 11 +++-- src/detect-icmpv4hdr.c | 4 +- src/detect-icmpv6hdr.c | 4 +- src/detect-ike-key-exchange-payload.c | 3 +- src/detect-ike-nonce-payload.c | 3 +- src/detect-ike-spi.c | 6 +-- src/detect-ipv4hdr.c | 4 +- src/detect-ipv6hdr.c | 4 +- src/detect-quic-sni.c | 3 +- src/detect-quic-ua.c | 3 +- src/detect-quic-version.c | 3 +- src/detect-sip-method.c | 3 +- src/detect-sip-uri.c | 3 +- src/detect-smb-ntlmssp.c | 6 +-- src/detect-smb-share.c | 6 +-- src/detect-ssh-hassh-server-string.c | 3 +- src/detect-ssh-hassh-server.c | 4 +- src/detect-ssh-hassh-string.c | 5 +-- src/detect-ssh-hassh.c | 5 +-- src/detect-ssh-proto.c | 4 +- src/detect-ssh-software.c | 4 +- src/detect-tcphdr.c | 4 +- src/detect-tls-cert-fingerprint.c | 4 +- src/detect-tls-cert-issuer.c | 4 +- src/detect-tls-cert-serial.c | 4 +- src/detect-tls-cert-subject.c | 4 +- src/detect-tls-ja3-hash.c | 4 +- src/detect-tls-ja3-string.c | 4 +- src/detect-tls-ja3s-hash.c | 4 +- src/detect-tls-ja3s-string.c | 4 +- src/detect-tls-random.c | 12 +++--- src/detect-tls-sni.c | 4 +- src/detect-udphdr.c | 4 +- src/util-ja3.c | 3 +- 54 files changed, 173 insertions(+), 182 deletions(-) diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index b0ee04590583..e23cfb6a4e60 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -79,8 +79,8 @@ static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx, return NULL; SCLogDebug("have data!"); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -105,8 +105,8 @@ static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx, } else { buffer->flags |= DETECT_CI_FLAGS_DCE_BE; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index c1e5a5e5bb97..de4edbbadf41 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -166,8 +166,8 @@ static InspectionBuffer *GetDNP3Data(DetectEngineThreadCtx *det_ctx, } SCLogDebug("tx %p data %p data_len %u", tx, tx->buffer, tx->buffer_len); - InspectionBufferSetup(det_ctx, list_id, buffer, tx->buffer, tx->buffer_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, tx->buffer, tx->buffer_len, transforms); } return buffer; } diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index 07ffb8177057..5337f95969c0 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -56,8 +56,7 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, if (!GetBuf(txv, flow_flags, &b, &b_len)) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-engine.c b/src/detect-engine.c index d576e550138a..a89a5e045690 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -105,6 +105,9 @@ static uint32_t DetectEngineTenantGetIdFromLivedev(const void *ctx, const Packet static uint32_t DetectEngineTenantGetIdFromVlanId(const void *ctx, const Packet *p); static uint32_t DetectEngineTenantGetIdFromPcap(const void *ctx, const Packet *p); +static inline void InspectionBufferApplyTransformsInternal( + InspectionBuffer *, const DetectEngineTransforms *); + static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL; static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL; static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL; @@ -1557,6 +1560,27 @@ InspectionBuffer *InspectionBufferMultipleForListGet( return buffer; } +static inline void InspectionBufferApplyTransformsInternal( + InspectionBuffer *buffer, const DetectEngineTransforms *transforms) +{ + if (transforms) { + for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { + const int id = transforms->transforms[i].transform; + if (id == 0) + break; + BUG_ON(sigmatch_table[id].Transform == NULL); + sigmatch_table[id].Transform(buffer, transforms->transforms[i].options); + SCLogDebug("applied transform %s", sigmatch_table[id].name); + } + } +} + +void InspectionBufferApplyTransforms( + InspectionBuffer *buffer, const DetectEngineTransforms *transforms) +{ + InspectionBufferApplyTransformsInternal(buffer, transforms); +} + void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size) { memset(buffer, 0, sizeof(*buffer)); @@ -1591,11 +1615,10 @@ void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTran buffer->len = 0; buffer->initialized = true; - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferApplyTransformsInternal(buffer, transforms); } -/** \brief setup the buffer with our initial data */ -void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, +static inline void InspectionBufferSetupInternal(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) { #ifdef DEBUG_VALIDATION @@ -1613,6 +1636,21 @@ void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, buffer->len = 0; buffer->initialized = true; } +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); +} + +/** \brief setup the buffer with our initial data */ +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms) +{ + InspectionBufferSetupInternal(det_ctx, list_id, buffer, data, data_len); + InspectionBufferApplyTransformsInternal(buffer, transforms); +} void InspectionBufferFree(InspectionBuffer *buffer) { @@ -1711,21 +1749,6 @@ bool DetectEngineBufferTypeValidateTransform(DetectEngineCtx *de_ctx, int sm_lis return true; } -void InspectionBufferApplyTransforms(InspectionBuffer *buffer, - const DetectEngineTransforms *transforms) -{ - if (transforms) { - for (int i = 0; i < DETECT_TRANSFORMS_MAX; i++) { - const int id = transforms->transforms[i].transform; - if (id == 0) - break; - BUG_ON(sigmatch_table[id].Transform == NULL); - sigmatch_table[id].Transform(buffer, transforms->transforms[i].options); - SCLogDebug("applied transform %s", sigmatch_table[id].name); - } - } -} - static void DetectBufferTypeSetupDetectEngine(DetectEngineCtx *de_ctx) { const int size = g_buffer_type_id; diff --git a/src/detect-engine.h b/src/detect-engine.h index b75d124f9cd4..4ccf9249d9c5 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -30,6 +30,9 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size); void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len); +void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, + const DetectEngineTransforms *transforms); void InspectionBufferFree(InspectionBuffer *buffer); void *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len); diff --git a/src/detect-ftp-command.c b/src/detect-ftp-command.c index ddc4bc16a7cf..b106ed4ed847 100644 --- a/src/detect-ftp-command.c +++ b/src/detect-ftp-command.c @@ -71,10 +71,9 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, tx->command_descriptor->command_length == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, (const uint8_t *)tx->command_descriptor->command_name, - tx->command_descriptor->command_length); - InspectionBufferApplyTransforms(buffer, transforms); + tx->command_descriptor->command_length, transforms); } return buffer; diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 865a88d8a1e2..c6532b92c4b7 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -190,8 +190,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = htp_header_value_len(h); const uint8_t *data = htp_header_value_ptr(h); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -217,8 +217,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = htp_header_value_len(h); const uint8_t *data = htp_header_value_ptr(h); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -238,8 +238,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -259,8 +258,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 6f0d30219536..c748c70f1c2f 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -153,8 +153,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; @@ -174,8 +174,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 4c7d2fbc9593..7e3dd6877916 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -156,8 +156,7 @@ static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -195,8 +194,8 @@ static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx, goto end; } /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } const uint32_t data_len = buffer->inspect_len; @@ -250,8 +249,8 @@ static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *p return; /* setup buffer and apply transforms */ - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, ctx->transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, ctx->transforms); } const uint32_t data_len = buffer->inspect_len; diff --git a/src/detect-http-headers-stub.h b/src/detect-http-headers-stub.h index 2dfcda843493..834a3b25d92a 100644 --- a/src/detect-http-headers-stub.h +++ b/src/detect-http-headers-stub.h @@ -67,8 +67,8 @@ static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = htp_header_value_len(h); const uint8_t *data = htp_header_value_ptr(h); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -90,8 +90,7 @@ static InspectionBuffer *GetRequestData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -122,8 +121,8 @@ static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = htp_header_value_len(h); const uint8_t *data = htp_header_value_ptr(h); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -145,8 +144,7 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-host.c b/src/detect-http-host.c index a86625d8afae..eef135805231 100644 --- a/src/detect-http-host.c +++ b/src/detect-http-host.c @@ -251,8 +251,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(htp_tx_request_hostname(tx)); const uint8_t *data = bstr_ptr(htp_tx_request_hostname(tx)); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -272,8 +272,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -293,8 +292,7 @@ static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -363,8 +361,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, data_len = bstr_len(tx->parsed_uri->hostname); } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 9fb7af37e644..902d48ed3143 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -210,8 +210,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(htp_tx_request_method(tx)); const uint8_t *data = bstr_ptr(htp_tx_request_method(tx)); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -231,8 +231,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index 0c2d9cb71b62..2836ff077cc5 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -107,8 +107,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -120,9 +120,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup( - det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2")); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"HTTP/2", strlen("HTTP/2"), transforms); } return buffer; diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index ee5e3c957eae..2eda09704e39 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -200,8 +200,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = ts ? tx_ud->request_headers_raw_len : tx_ud->response_headers_raw_len; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -221,8 +221,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 60ebd5a3d147..768d28f6ca6c 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -165,8 +164,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(htp_tx_request_line(tx)); const uint8_t *data = bstr_ptr(htp_tx_request_line(tx)); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index 93114822d15e..6eb86445fdca 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -86,8 +86,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -164,8 +163,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(htp_tx_response_line(tx)); const uint8_t *data = bstr_ptr(htp_tx_response_line(tx)); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-http-start.c b/src/detect-http-start.c index 3f5920213d0e..4a6101056242 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -158,8 +158,8 @@ static InspectionBuffer *GetBuffer1ForTX(DetectEngineThreadCtx *det_ctx, if (rawdata_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, rawdata, rawdata_len, transforms); } return buffer; diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index 82cdde855a72..8ffddc74f520 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -169,8 +169,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(htp_tx_response_status(tx)); const uint8_t *data = bstr_ptr(htp_tx_response_status(tx)); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -192,8 +192,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index d2a494d42fe2..93640df97ecf 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -78,8 +78,8 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, { InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { - InspectionBufferSetup(det_ctx, list_id, buffer, (const uint8_t *)"", 0); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, (const uint8_t *)"", 0, transforms); } return buffer; @@ -178,8 +178,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(htp_tx_response_message(tx)); const uint8_t *data = bstr_ptr(htp_tx_response_message(tx)); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 2a539d69df3f..90f31c4a1e50 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -174,8 +174,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = htp_header_value_len(h); const uint8_t *data = htp_header_value_ptr(h); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -197,8 +197,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 7a23777562f5..02a932b5f452 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -237,8 +237,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(tx_ud->request_uri_normalized); const uint8_t *data = bstr_ptr(tx_ud->request_uri_normalized); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; @@ -260,8 +260,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -328,8 +327,8 @@ static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = bstr_len(htp_tx_request_uri(tx)); const uint8_t *data = bstr_ptr(htp_tx_request_uri(tx)); - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-icmpv4hdr.c b/src/detect-icmpv4hdr.c index dbda7c6f14d1..43a884991555 100644 --- a/src/detect-icmpv4hdr.c +++ b/src/detect-icmpv4hdr.c @@ -112,8 +112,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index 54f1cd35a04f..0bd9b2b4fc71 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -117,8 +117,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)icmpv6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-ike-key-exchange-payload.c b/src/detect-ike-key-exchange-payload.c index 2eccde22e17f..fadad07f28ea 100644 --- a/src/detect-ike-key-exchange-payload.c +++ b/src/detect-ike-key-exchange-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetKeyExchangeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-nonce-payload.c b/src/detect-ike-nonce-payload.c index d31e35abfd72..20c28585dd12 100644 --- a/src/detect-ike-nonce-payload.c +++ b/src/detect-ike-nonce-payload.c @@ -82,8 +82,7 @@ static InspectionBuffer *GetNonceData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ike-spi.c b/src/detect-ike-spi.c index b9e2f83923b6..52bc97b0687c 100644 --- a/src/detect-ike-spi.c +++ b/src/detect-ike-spi.c @@ -99,8 +99,7 @@ static InspectionBuffer *GetInitiatorData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; @@ -120,8 +119,7 @@ static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index 78fe0062ea46..1db2bf0f28d6 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -113,8 +113,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip4h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index 2f5e79d33d4e..28a61023e21c 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -114,8 +114,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)ip6h; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } SCReturnPtr(buffer, "InspectionBuffer"); diff --git a/src/detect-quic-sni.c b/src/detect-quic-sni.c index ba234e1d4478..5f5142727c4b 100644 --- a/src/detect-quic-sni.c +++ b/src/detect-quic-sni.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetSniData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-ua.c b/src/detect-quic-ua.c index 59c302e59490..732d79dbac04 100644 --- a/src/detect-quic-ua.c +++ b/src/detect-quic-ua.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-quic-version.c b/src/detect-quic-version.c index 0d5d9f491ead..2d40becf3d50 100644 --- a/src/detect-quic-version.c +++ b/src/detect-quic-version.c @@ -59,8 +59,7 @@ static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-sip-method.c b/src/detect-sip-method.c index a3564e7d7b71..27a3c373c2ce 100644 --- a/src/detect-sip-method.c +++ b/src/detect-sip-method.c @@ -117,8 +117,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-sip-uri.c b/src/detect-sip-uri.c index 9deafbb42bb0..111e60a5a4e0 100644 --- a/src/detect-sip-uri.c +++ b/src/detect-sip-uri.c @@ -96,8 +96,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; diff --git a/src/detect-smb-ntlmssp.c b/src/detect-smb-ntlmssp.c index aa53269309cf..efcc6f111deb 100644 --- a/src/detect-smb-ntlmssp.c +++ b/src/detect-smb-ntlmssp.c @@ -68,8 +68,7 @@ static InspectionBuffer *GetNtlmsspUserData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -125,8 +124,7 @@ static InspectionBuffer *GetNtlmsspDomainData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-smb-share.c b/src/detect-smb-share.c index 018d8ceefd79..36bca26a166d 100644 --- a/src/detect-smb-share.c +++ b/src/detect-smb-share.c @@ -69,8 +69,7 @@ static InspectionBuffer *GetNamedPipeData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } @@ -130,8 +129,7 @@ static InspectionBuffer *GetShareData(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c index 45e67edb3c8c..287846a8864f 100644 --- a/src/detect-ssh-hassh-server-string.c +++ b/src/detect-ssh-hassh-server-string.c @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c index da5118853869..bc6f752cddd5 100644 --- a/src/detect-ssh-hassh-server.c +++ b/src/detect-ssh-hassh-server.c @@ -77,8 +77,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hasshServer, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, hasshServer, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c index 346e94d74b9b..f55c20d9f427 100644 --- a/src/detect-ssh-hassh-string.c +++ b/src/detect-ssh-hassh-string.c @@ -60,7 +60,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -76,8 +76,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c index ec78519b907f..452534b834bf 100644 --- a/src/detect-ssh-hassh.c +++ b/src/detect-ssh-hassh.c @@ -61,7 +61,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, const int list_id) { - + SCEnter(); InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); @@ -77,8 +77,7 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, hassh, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, hassh, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 5ed0cdfb54a8..b25e57db8d26 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, protocol, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, protocol, b_len, transforms); } return buffer; diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index d7cb872523ca..c0d36c06f24a 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -74,8 +74,8 @@ static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, return NULL; } - InspectionBufferSetup(det_ctx, list_id, buffer, software, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, software, b_len, transforms); } return buffer; diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index fd7df2f687d7..920bdd798bed 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -115,8 +115,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = hlen; const uint8_t *data = (const uint8_t *)tcph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index 8f6872a81871..2844c882d5c0 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -152,8 +152,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_fingerprint); const uint8_t *data = (uint8_t *)connp->cert0_fingerprint; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index 55411172a651..fcdef7f4785c 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -140,8 +140,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_issuerdn); const uint8_t *data = (uint8_t *)connp->cert0_issuerdn; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index fb4e02995433..6a9705672f1b 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -150,8 +150,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_serial); const uint8_t *data = (uint8_t *)connp->cert0_serial; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index 7d3ca50a6190..86193052c48c 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -142,8 +142,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(connp->cert0_subject); const uint8_t *data = (uint8_t *)connp->cert0_subject; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index e7994fb3271e..0a22eb6a0c5f 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -171,8 +171,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index dc2d41b622c8..cc4acf4b2b6f 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -161,8 +161,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->client_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index c554bb7076bc..3b439161cd56 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -169,8 +169,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_hash); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_hash; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index ea78846f15c2..2b7710d87fb6 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -160,8 +160,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->server_connp.ja3_str->data); const uint8_t *data = (uint8_t *)ssl_state->server_connp.ja3_str->data; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 6993223eccfb..2e6aa97672cb 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -221,8 +221,8 @@ static InspectionBuffer *GetRandomTimeData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -248,8 +248,8 @@ static InspectionBuffer *GetRandomBytesData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random + DETECT_TLS_RANDOM_TIME_LEN; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } @@ -275,8 +275,8 @@ static InspectionBuffer *GetRandomData(DetectEngineThreadCtx *det_ctx, } else { data = ssl_state->server_connp.random; } - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; } diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index 1ec7400b3437..0f7a957b8bb5 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -122,8 +122,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = strlen(ssl_state->client_connp.sni); const uint8_t *data = (uint8_t *)ssl_state->client_connp.sni; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index 9f6d16ebf0b0..0e604104a8b5 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -111,8 +111,8 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const uint32_t data_len = UDP_HEADER_LEN; const uint8_t *data = (const uint8_t *)udph; - InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms( + det_ctx, list_id, buffer, data, data_len, transforms); } return buffer; diff --git a/src/util-ja3.c b/src/util-ja3.c index b89a62e0d0bf..0ebd1557c591 100644 --- a/src/util-ja3.c +++ b/src/util-ja3.c @@ -297,8 +297,7 @@ InspectionBuffer *Ja3DetectGetString(DetectEngineThreadCtx *det_ctx, if (b == NULL || b_len == 0) return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); } return buffer; } From 726de5520f77e778cd2511bf262611079ae2528d Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 21 Feb 2025 10:38:06 +0100 Subject: [PATCH 10/11] quic: discard late retry packets Ticket: 7556 See RFC 9000 section 17.2.5.2 : After the client has received and processed an Initial or Retry packet from the server, it MUST discard any subsequent Retry packets that it receives. --- rust/src/quic/quic.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/rust/src/quic/quic.rs b/rust/src/quic/quic.rs index 165fc44dc679..03407dbae0bf 100644 --- a/rust/src/quic/quic.rs +++ b/rust/src/quic/quic.rs @@ -120,6 +120,7 @@ pub struct QuicState { crypto_fraglen_ts: u32, hello_tc: bool, hello_ts: bool, + has_retried: bool, transactions: VecDeque, } @@ -135,6 +136,7 @@ impl Default for QuicState { crypto_fraglen_ts: 0, hello_tc: false, hello_ts: false, + has_retried: false, transactions: VecDeque::new(), } } @@ -339,10 +341,17 @@ impl QuicState { // unprotect/decrypt packet if self.keys.is_none() && header.ty == QuicType::Initial { self.keys = quic_keys_initial(u32::from(header.version), &header.dcid); - } else if !to_server && self.keys.is_some() && header.ty == QuicType::Retry { + } else if !to_server + && self.keys.is_some() + && header.ty == QuicType::Retry + && !self.has_retried + { // a retry packet discards the current keys, client will resend an initial packet with new keys self.hello_ts = false; self.keys = None; + // RFC 9000 17.2.5.2 After the client has received and processed an Initial or Retry packet + // from the server, it MUST discard any subsequent Retry packets that it receives. + self.has_retried = true; } // header.length was checked against rest.len() during parsing let (mut framebuf, next_buf) = rest.split_at(header.length.into()); From 3bc2a14fbfefddbfc241bf6d961a57c3b24835a3 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 21 Feb 2025 11:22:27 +0100 Subject: [PATCH 11/11] rust: fix clippy 1.85 precedence warnings warning: operator precedence can trip the unwary --> src/jsonbuilder.rs:781:36 | 781 | buf[offset] = HEX[(x >> 4 & 0xf) as usize]; | ^^^^^^^^^^^^ help: consider parenthesizing your expression: `(x >> 4) & 0xf` | = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#precedence = note: `#[warn(clippy::precedence)]` on by default --- rust/src/ja4.rs | 6 +++--- rust/src/jsonbuilder.rs | 2 +- rust/src/rdp/util.rs | 2 +- rust/src/smb/smb1_records.rs | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rust/src/ja4.rs b/rust/src/ja4.rs index 4660f2330227..ae76186c905d 100644 --- a/rust/src/ja4.rs +++ b/rust/src/ja4.rs @@ -143,7 +143,7 @@ impl JA4 { // If the first ALPN value is only a single character, then that character is treated as both the first and last character. if alpn.len() == 2 { // GREASE values are 2 bytes, so this could be one -- check - let v: u16 = (alpn[0] as u16) << 8 | alpn[alpn.len() - 1] as u16; + let v: u16 = ((alpn[0] as u16) << 8) | alpn[alpn.len() - 1] as u16; if JA4::is_grease(v) { return; } @@ -288,12 +288,12 @@ mod tests { fn test_is_grease() { let mut alpn = "foobar".as_bytes(); let mut len = alpn.len(); - let v: u16 = (alpn[0] as u16) << 8 | alpn[len - 1] as u16; + let v: u16 = ((alpn[0] as u16) << 8) | alpn[len - 1] as u16; assert!(!JA4::is_grease(v)); alpn = &[0x0a, 0x0a]; len = alpn.len(); - let v: u16 = (alpn[0] as u16) << 8 | alpn[len - 1] as u16; + let v: u16 = ((alpn[0] as u16) << 8) | alpn[len - 1] as u16; assert!(JA4::is_grease(v)); } diff --git a/rust/src/jsonbuilder.rs b/rust/src/jsonbuilder.rs index 0d9bc916a770..86d7bf51c151 100644 --- a/rust/src/jsonbuilder.rs +++ b/rust/src/jsonbuilder.rs @@ -778,7 +778,7 @@ impl JsonBuilder { offset += 1; buf[offset] = b'0'; offset += 1; - buf[offset] = HEX[(x >> 4 & 0xf) as usize]; + buf[offset] = HEX[((x >> 4) & 0xf) as usize]; offset += 1; buf[offset] = HEX[(x & 0xf) as usize]; offset += 1; diff --git a/rust/src/rdp/util.rs b/rust/src/rdp/util.rs index a4228f20373b..b903813bc979 100644 --- a/rust/src/rdp/util.rs +++ b/rust/src/rdp/util.rs @@ -70,7 +70,7 @@ pub fn parse_per_length_determinant(input: &[u8]) -> IResult<&[u8], u32, RdpErro Ok((&input[1..], length)) } _ => { - let bit6 = input[0] >> 6 & 0x1; + let bit6 = (input[0] >> 6) & 0x1; match bit6 { 0b0 => { // byte starts with 0b10. Length stored in the remaining 6 bits and the next byte diff --git a/rust/src/smb/smb1_records.rs b/rust/src/smb/smb1_records.rs index eb42d2c04cb0..9211998d9a18 100644 --- a/rust/src/smb/smb1_records.rs +++ b/rust/src/smb/smb1_records.rs @@ -520,7 +520,7 @@ pub fn parse_smb_read_andx_request_record(i: &[u8]) -> IResult<&[u8], SmbRequest let record = SmbRequestReadAndXRecord { fid, size: (((max_count_high as u64) << 16)|max_count_low as u64), - offset: high_offset.map(|ho| (ho as u64) << 32 | offset as u64).unwrap_or(0), + offset: high_offset.map(|ho| ((ho as u64) << 32) | offset as u64).unwrap_or(0), }; Ok((i, record)) } @@ -858,7 +858,7 @@ pub fn parse_smb_record(i: &[u8]) -> IResult<&[u8], SmbRecord> { user_id, multiplex_id, - process_id: (process_id_high as u32) << 16 | process_id as u32, + process_id: ((process_id_high as u32) << 16) | process_id as u32, //ssn_id: (((process_id as u32)<< 16)|(user_id as u32)), ssn_id: user_id as u32, data,