Skip to content

detect/var: Restrict var usage to single buffer #13793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

detect/var: Restrict var usage to single buffer #13793

wants to merge 2 commits into from

Conversation

jlucovsky
Copy link
Contributor

Continuation of #13720

Issue: 1412

Extend the checks added for 7549 to include buffers.

Only consider sig matches with compatible ids/lists.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/1412

Describe changes:

  • Extend buffer/variable checks to buffers init data
  • In strict-mode, do not load rules using variables from different buffers.
  • When not in strict mode, issue warning for rules that use variables from different buffers.

Updates:

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2576
SU_REPO=
SU_BRANCH=

@jlucovsky
detect/var: Restrict var usage to single buffer in strict mode
f00d499 
Issue: 1412

When in strict mode, issue an error and refuse to load the rule if
variables produced from a different buffer are used with a separate
buffer.

When not in strict mode (default), issue a warning and load the rule.

Only consider sig matches with compatible ids/lists.
@jlucovsky
doc/upgrade: Highlight byte_ variable scope
7a0cb13 
Issue 1412

Add mention of byte_{extract,math,test,jump} variable usage
and buffer scope and include how the command line option
strict-rule-keywords affects validation.
@jlucovsky jlucovsky mentioned this pull request Sep 3, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented Sep 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.71%. Comparing base (be605ba) to head (7a0cb13).
⚠️ Report is 12 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #13793      +/-   ##
==========================================
- Coverage   83.72%   83.71%   -0.01%     
==========================================
  Files        1011     1011              
  Lines      275117   275154      +37     
==========================================
+ Hits       230328   230350      +22     
- Misses      44789    44804      +15
Flag Coverage Δ
fuzzcorpus 62.99% <96.10%> (+0.01%) ⬆️
livemode 18.99% <0.00%> (-0.01%) ⬇️
pcap 44.74% <37.66%> (+0.04%) ⬆️
suricata-verify 65.10% <94.80%> (+0.01%) ⬆️
unittests 59.17% <74.02%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline = 27329

@jlucovsky jlucovsky mentioned this pull request Sep 7, 2025
Open
@jlucovsky
Copy link
Contributor Author

Continued in #13809

@jlucovsky jlucovsky closed this Sep 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini Awaiting requested review from jufajardini

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jlucovsky @suricata-qa