[Bro] Two strange codes in RuleMatcher.cc

Chen, Huajun chenhj at cn.fujitsu.com
Fri Sep 4 00:15:07 PDT 2015 

Hi,all

I found two strange codes in RuleMatcher.cc, they seem have problem.

Problem 1
-----------------------------------------------------
void RuleMatcher::InsertRuleIntoTree(Rule* r, int testnr,
					RuleHdrTest* dest, int level)
	{
	// Initiliaze the preconditions
	loop_over_list(r->preconds, i)// The loop should be called for per rule(not for per rule's RuleHdrTest).
		{
		Rule::Precond* pc = r->preconds[i];

		Rule* pc_rule = rules_by_id.Lookup(pc->id);
		if ( ! pc_rule )
			{
			rules_error(r, "unknown rule referenced");
			return;
			}

		pc->rule = pc_rule;
		pc_rule->dependents.append(r);
		}
...
	}
-----------------------------------------------------
The same dependented rule should only be insert into rule.dependents once, so rule.dependents.append() should be called for per rule (not for per rule's RuleHdrTest).
And in my test,it really insert the same dependented rule into rule.dependents many times.



Problem 2
-----------------------------------------------------
void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
			const u_char* data, int data_len,
			bool bol, bool eol, bool clear)
	{
...

	// Check which of the matching rules really belong to any of our nodes.

	for ( set<Rule*>::const_iterator it = rule_matches.begin();
	      it != rule_matches.end(); ++it )
		{
		Rule* r = *it;

		DBG_LOG(DBG_RULES, "Accepted rule: %s", r->id);

		loop_over_list(state->hdr_tests, k)// the loop for every hdr_test seems useless.
			{
			RuleHdrTest* h = state->hdr_tests[k];

			DBG_LOG(DBG_RULES, "Checking for accepted rule on HdrTest %d", h->id);

			// Skip if rule does not belong to this node.
			if ( ! h->ruleset->Contains(r->Index()) )
				continue;

			DBG_LOG(DBG_RULES, "On current node"); ...
	}
-----------------------------------------------------

I think there must be one and only one HdrTest nodes contains the rule, the loop for every hdr_test seems useless.


The attachment is a patch for them,but may be my judge is wrong.


--
Best Regards,
Chen Huajun

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bro_strange_code.patch
Type: application/octet-stream
Size: 2333 bytes
Desc: bro_strange_code.patch
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150904/848aef53/attachment-0001.obj

More information about the Bro mailing list