From 1a9460f9fe26ec98193890423ba70a1f9e6afe4d Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 17 Dec 2024 07:56:42 -0500
Subject: [PATCH] detect/content: account for distance variables

Under some cases (see the issue), the depth and offset values are used
twice. This commit disregards the distance variable (if any), when
computing the final depth.

Issue: 7390
---
 src/detect-engine-content-inspection.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index e43e693b215..e4e632765c1 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -182,6 +182,8 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
                     }
 
                     if (stream_start_offset != 0 && prev_buffer_offset == 0) {
+                        SCLogDebug("stream_start_offset: %" PRIi32 ", depth %" PRIu32,
+                                stream_start_offset, depth);
                         if (depth <= stream_start_offset) {
                             goto no_match;
                         } else if (depth >= (stream_start_offset + buffer_len)) {
@@ -189,6 +191,8 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
                         } else {
                             depth = depth - stream_start_offset;
                         }
+                        SCLogDebug("depth is now %" PRIu32 ", stream_start_offset: %" PRIi32, depth,
+                                stream_start_offset);
                     }
                 }
 
@@ -202,7 +206,10 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
                             depth = prev_buffer_offset + cd->depth;
                         }
 
-                        SCLogDebug("cd->depth %"PRIu32", depth %"PRIu32, cd->depth, depth);
+                        SCLogDebug("cd->depth %" PRIu32 ", depth %" PRIu32
+                                   " , prev_offset %" PRIi32,
+                                cd->depth, depth, prev_buffer_offset);
+                        depth += offset;
                     }
                 }
 
@@ -246,8 +253,8 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
             /* If the value came from a variable, make sure to adjust the depth so it's relative
              * to the offset value.
              */
-            if (cd->flags & (DETECT_CONTENT_DISTANCE_VAR|DETECT_CONTENT_OFFSET_VAR|DETECT_CONTENT_DEPTH_VAR)) {
-                 depth += offset;
+            if (cd->flags & (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_DEPTH_VAR)) {
+                depth += offset;
             }
 
             /* update offset with prev_offset if we're searching for