[BUGFIX]Clean up hit groups promptly during scanning

2024-04-11 16:16:04 +08:00
parent 1b97f76bf5
commit 580d6faa0f
9 changed files with 294 additions and 255 deletions
--- a/src/inc_internal/maat_compile.h
+++ b/src/inc_internal/maat_compile.h
@@ -96,6 +96,8 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
                         int vtable_id, int custom_compile_tbl_id, int Nth_scan,
                         struct maat_item *hit_items, size_t n_hit_item);

+void compile_state_clear_last_hit_group(struct compile_state *compile_state);
+
 void compile_state_not_logic_update(struct compile_state *compile_state, 
                                    struct compile_runtime *compile_rt,
                                    struct maat *maat_inst, int vtable_id,
--- a/src/inc_internal/maat_limits.h
+++ b/src/inc_internal/maat_limits.h
@@ -19,7 +19,7 @@ extern "C"
 #define MAX_KEYWORDS_STR_LEN  1024
 #define MAX_TAG_STR_LEN       2048
 #define MAX_MAAT_STAT_NUM     64
-#define MAX_NAME_STR_LEN      64
+#define MAX_NAME_STR_LEN      128 
 #define MAX_IP_STR_LEN        64
 #define MAX_INSTANCE_NAME_LEN 15
 #define MAX_GROUP_IDS_STR_LEN 256
--- a/src/maat_api.c
+++ b/src/maat_api.c
@@ -1750,6 +1750,11 @@ static void maat_state_add_hit_group(struct maat_state *state, int table_id,
 {
    struct maat *maat_inst = state->maat_inst;

+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
    if (NULL == state->compile_state) {
        state->compile_state = compile_state_new();
        alignment_int64_array_add(maat_inst->stat->compile_state_cnt,
@@ -1792,6 +1797,11 @@ maat_state_activate_hit_not_group(struct maat_state *state, int table_id)
        return;
    }

+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
    compile_state_not_logic_update(state->compile_state, compile_rt, maat_inst,
                                   table_id, state->Nth_scan);
 }
--- a/src/maat_compile.c
+++ b/src/maat_compile.c
@@ -2486,7 +2486,6 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
    struct maat_hit_group hit_group;

    utarray_clear(compile_state->this_scan_hit_clauses);
-    utarray_clear(compile_state->last_hit_groups);
    compile_state->this_scan_not_logic = 0;
    compile_state->Nth_scan = Nth_scan;

@@ -2552,6 +2551,15 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
    return hit_cnt;
 }

+void compile_state_clear_last_hit_group(struct compile_state *compile_state)
+{
+    if (NULL == compile_state) {
+        return;
+    }
+
+    utarray_clear(compile_state->last_hit_groups);
+}
+
 void compile_state_not_logic_update(struct compile_state *compile_state,
                                    struct compile_runtime *compile_rt,
                                    struct maat *maat_inst, int vtable_id,
--- a/src/maat_expr.c
+++ b/src/maat_expr.c
@@ -1026,6 +1026,11 @@ int expr_runtime_scan(struct expr_runtime *expr_rt, int thread_id,
                      const char *data, size_t data_len,
                      int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
    if (0 == expr_rt->rule_num) {
        //empty expr table
        return 0;
@@ -1116,11 +1121,21 @@ int expr_runtime_stream_scan(struct expr_runtime_stream *expr_rt_stream,
                             int vtable_id, struct maat_state *state)
 {
    struct expr_runtime *expr_rt = expr_rt_stream->ref_expr_rt;
+
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
    if (0 == expr_rt->rule_num) {
        //empty expr table
        return 0;
    }

+    if (NULL == expr_rt_stream->handle) {
+        return 0;
+    }
+
    size_t n_hit_item = 0;
    size_t n_hit_pattern = 0;
    struct expr_scan_result hit_results[MAX_HIT_ITEM_NUM];
--- a/src/maat_flag.c
+++ b/src/maat_flag.c
@@ -557,6 +557,11 @@ long long flag_runtime_rule_count(void *flag_runtime)
 int flag_runtime_scan(struct flag_runtime *flag_rt, int thread_id, 
                      long long flag, int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
    if (0 == flag_rt->rule_num) {
        //empty flag table
        return 0;
--- a/src/maat_interval.c
+++ b/src/maat_interval.c
@@ -559,6 +559,11 @@ long long interval_runtime_rule_count(void *interval_runtime)
 int interval_runtime_scan(struct interval_runtime *interval_rt, int thread_id, 
                          long long integer, int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
    if (0 == interval_rt->rule_num) {
        //empty interval table
        return 0;
--- a/src/maat_ip.c
+++ b/src/maat_ip.c
@@ -597,11 +597,20 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime)
 int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type, 
                    uint8_t *ip_addr, int port, int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
    if (0 == ip_rt->rule_num) {
        //empty ip table
        return 0;
    }
    
+    if (NULL == ip_rt->ip_matcher) {
+        return 0;
+    }
+
    struct ip_data scan_data;
    struct scan_result ip_results[MAX_HIT_ITEM_NUM];

@@ -619,10 +628,6 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
    size_t real_hit_item_cnt = 0;
    struct maat_item hit_maat_items[MAX_HIT_ITEM_NUM];

-    if (NULL == ip_rt->ip_matcher) {
-        return 0;
-    }
-
    int n_hit_ip_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data,
                                         ip_results, MAX_HIT_ITEM_NUM);
    if (n_hit_ip_item < 0) {
@@ -642,11 +647,12 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
            // item config has been deleted
            continue;
        }
-        if(port < 0 && ip_item->port_start!=0 && ip_item->port_end!=65535)
-        {
+
+        if (port < 0 && ip_item->port_start != 0 && ip_item->port_end != 65535) {
            //If port is not speicified, an IP should NOT match rules with port range.
            continue;
        }
+
        if (port >= 0 && (port < ip_item->port_start || port > ip_item->port_end)) {
            //If port is specified, the port should within the port range.
            continue;
--- a/test/maat_framework_gtest.cpp
+++ b/test/maat_framework_gtest.cpp