If we pass the following sequence as event input:
- field name "seqfield2"
- seq. len.: 4
- sequence array: "testA" (5 characters),
The following filters do not have the intended effect:
* 'seqfield2=="testA"'
- expected: no match.
- actual behavior: match.
* 'seqfield2=="test"'
- expected: match.
- actual behavior: no match.
This is caused by an off-by-one in the comparison with sequence length
in the filter bytecode interpreter.
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
for (;;) {
int escaped_r0 = 0;
for (;;) {
int escaped_r0 = 0;
- if (unlikely(p - estack_bx(stack, top)->u.s.str > estack_bx(stack, top)->u.s.seq_len || *p == '\0')) {
- if (q - estack_ax(stack, top)->u.s.str > estack_ax(stack, top)->u.s.seq_len || *q == '\0') {
+ if (unlikely(p - estack_bx(stack, top)->u.s.str >= estack_bx(stack, top)->u.s.seq_len || *p == '\0')) {
+ if (q - estack_ax(stack, top)->u.s.str >= estack_ax(stack, top)->u.s.seq_len || *q == '\0') {
return 0;
} else {
if (estack_ax(stack, top)->u.s.literal) {
return 0;
} else {
if (estack_ax(stack, top)->u.s.literal) {
- if (unlikely(q - estack_ax(stack, top)->u.s.str > estack_ax(stack, top)->u.s.seq_len || *q == '\0')) {
- if (p - estack_bx(stack, top)->u.s.str > estack_bx(stack, top)->u.s.seq_len || *p == '\0') {
+ if (unlikely(q - estack_ax(stack, top)->u.s.str >= estack_ax(stack, top)->u.s.seq_len || *q == '\0')) {
+ if (p - estack_bx(stack, top)->u.s.str >= estack_bx(stack, top)->u.s.seq_len || *p == '\0') {
return 0;
} else {
if (estack_bx(stack, top)->u.s.literal) {
return 0;
} else {
if (estack_bx(stack, top)->u.s.literal) {