Skip to content

detect/var: Restrict var usage to single buffer #13622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

detect/var: Restrict var usage to single buffer #13622

wants to merge 2 commits into from

Conversation

jlucovsky
Copy link
Contributor

Continuation of #13584

Issue: 1412

Extend the checks added for 7549 to include buffers.

Only consider sig matches with compatible ids/lists.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/1412

Describe changes:

  • Extend buffer/variable checks to buffers init data
  • In strict-mode, do not load rules using variables from different buffers.
  • When not in strict mode, issue warning for rules that use variables from different buffers.

Updates:

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2576
SU_REPO=
SU_BRANCH=

jlucovsky added 2 commits July 19, 2025 10:28
@jlucovsky
detect/var: Restrict var usage to single buffer in strict mode
9aec230 
Issue: 1412

When in strict mode, issue an error and refuse to load the rule if
variables produced from a different buffer are used with a separate
buffer.

When not in strict mode (default), issue a warning and load the rule.

Only consider sig matches with compatible ids/lists.
@jlucovsky
doc/upgrade: Highlight byte_ variable scope
17da193 
Issue 1412

Add mention of byte_{extract,math,test,jump} variable usage
and buffer scope and include how the command line option
strict-rule-keywords affects validation.
@jlucovsky jlucovsky mentioned this pull request Jul 19, 2025
Closed
@jlucovsky jlucovsky changed the title 1412/6 detect/var: Restrict var usage to single buffer Jul 19, 2025
@codecov Codecov
Copy link

codecov bot commented Jul 19, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.70%. Comparing base (2e69e0d) to head (17da193).
⚠️ Report is 36 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #13622      +/-   ##
==========================================
+ Coverage   83.69%   83.70%   +0.01%     
==========================================
  Files        1011     1011              
  Lines      275071   275109      +38     
==========================================
+ Hits       230210   230276      +66     
+ Misses      44861    44833      -28
Flag Coverage Δ
fuzzcorpus 62.83% <96.15%> (+0.07%) ⬆️
livemode 19.14% <0.00%> (+0.02%) ⬆️
pcap 44.75% <38.46%> (+0.01%) ⬆️
suricata-verify 65.09% <94.87%> (-0.02%) ⬇️
unittests 59.19% <74.35%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline = 27037

jufajardini
jufajardini reviewed Jul 21, 2025
View reviewed changes
@catenacyber catenacyber added the decision-required Waiting on deliberation from the team label Jul 22, 2025
@catenacyber
Copy link
Contributor

I wonder what we want to do now that 8.0.0 is out and this was not merged in it 😢

@victorjulien victorjulien added the needs rebase Needs rebase to main label Aug 11, 2025
@jufajardini jufajardini removed the decision-required Waiting on deliberation from the team label Aug 11, 2025
@jlucovsky jlucovsky mentioned this pull request Aug 12, 2025
Closed
@jlucovsky
Copy link
Contributor Author

Continued in #13716

@jlucovsky jlucovsky closed this Aug 12, 2025
@jlucovsky jlucovsky mentioned this pull request Aug 14, 2025
Closed
This was referenced Sep 3, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini left review comments

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees
No one assigned
Labels
needs rebase Needs rebase to main
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jlucovsky @suricata-qa @catenacyber @jufajardini @victorjulien