[BUGFIX]Clean up hit groups promptly during scanningv4.1.35

8 files changed, 60 insertions, 9 deletions

diff --git a/src/inc_internal/maat_compile.h b/src/inc_internal/maat_compile.h
index 76b9a1a..d4d5c51 100644
--- a/src/inc_internal/maat_compile.h
+++ b/src/inc_internal/maat_compile.h
@@ -96,6 +96,8 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
                          int vtable_id, int custom_compile_tbl_id, int Nth_scan,
                          struct maat_item *hit_items, size_t n_hit_item);
 
+void compile_state_clear_last_hit_group(struct compile_state *compile_state);
+
 void compile_state_not_logic_update(struct compile_state *compile_state, 
                                     struct compile_runtime *compile_rt,
                                     struct maat *maat_inst, int vtable_id,
diff --git a/src/inc_internal/maat_limits.h b/src/inc_internal/maat_limits.h
index 628a46e..45b9f1a 100644
--- a/src/inc_internal/maat_limits.h
+++ b/src/inc_internal/maat_limits.h
@@ -19,7 +19,7 @@ extern "C"
 #define MAX_KEYWORDS_STR_LEN  1024
 #define MAX_TAG_STR_LEN       2048
 #define MAX_MAAT_STAT_NUM     64
-#define MAX_NAME_STR_LEN      64
+#define MAX_NAME_STR_LEN      128 
 #define MAX_IP_STR_LEN        64
 #define MAX_INSTANCE_NAME_LEN 15
 #define MAX_GROUP_IDS_STR_LEN 256
diff --git a/src/maat_api.c b/src/maat_api.c
index ea58819..21bfd17 100644
--- a/src/maat_api.c
+++ b/src/maat_api.c
@@ -1750,6 +1750,11 @@ static void maat_state_add_hit_group(struct maat_state *state, int table_id,
 {
     struct maat *maat_inst = state->maat_inst;
 
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
     if (NULL == state->compile_state) {
         state->compile_state = compile_state_new();
         alignment_int64_array_add(maat_inst->stat->compile_state_cnt,
@@ -1792,6 +1797,11 @@ maat_state_activate_hit_not_group(struct maat_state *state, int table_id)
         return;
     }
 
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
     compile_state_not_logic_update(state->compile_state, compile_rt, maat_inst,
                                    table_id, state->Nth_scan);
 }
diff --git a/src/maat_compile.c b/src/maat_compile.c
index c5df792..3849082 100644
--- a/src/maat_compile.c
+++ b/src/maat_compile.c
@@ -2486,7 +2486,6 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
     struct maat_hit_group hit_group;
 
     utarray_clear(compile_state->this_scan_hit_clauses);
-    utarray_clear(compile_state->last_hit_groups);
     compile_state->this_scan_not_logic = 0;
     compile_state->Nth_scan = Nth_scan;
 
@@ -2552,6 +2551,15 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
     return hit_cnt;
 }
 
+void compile_state_clear_last_hit_group(struct compile_state *compile_state)
+{
+    if (NULL == compile_state) {
+        return;
+    }
+
+    utarray_clear(compile_state->last_hit_groups);
+}
+
 void compile_state_not_logic_update(struct compile_state *compile_state,
                                     struct compile_runtime *compile_rt,
                                     struct maat *maat_inst, int vtable_id,
diff --git a/src/maat_expr.c b/src/maat_expr.c
index 9b46268..5f7a4e7 100644
--- a/src/maat_expr.c
+++ b/src/maat_expr.c
@@ -1026,6 +1026,11 @@ int expr_runtime_scan(struct expr_runtime *expr_rt, int thread_id,
                       const char *data, size_t data_len,
                       int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
     if (0 == expr_rt->rule_num) {
         //empty expr table
         return 0;
@@ -1116,11 +1121,21 @@ int expr_runtime_stream_scan(struct expr_runtime_stream *expr_rt_stream,
                              int vtable_id, struct maat_state *state)
 {
     struct expr_runtime *expr_rt = expr_rt_stream->ref_expr_rt;
+
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
     if (0 == expr_rt->rule_num) {
         //empty expr table
         return 0;
     }
 
+    if (NULL == expr_rt_stream->handle) {
+        return 0;
+    }
+
     size_t n_hit_item = 0;
     size_t n_hit_pattern = 0;
     struct expr_scan_result hit_results[MAX_HIT_ITEM_NUM];
diff --git a/src/maat_flag.c b/src/maat_flag.c
index 52fe57a..5697684 100644
--- a/src/maat_flag.c
+++ b/src/maat_flag.c
@@ -557,6 +557,11 @@ long long flag_runtime_rule_count(void *flag_runtime)
 int flag_runtime_scan(struct flag_runtime *flag_rt, int thread_id, 
                       long long flag, int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
     if (0 == flag_rt->rule_num) {
         //empty flag table
         return 0;
diff --git a/src/maat_interval.c b/src/maat_interval.c
index 3d7a825..c25b16c 100644
--- a/src/maat_interval.c
+++ b/src/maat_interval.c
@@ -559,6 +559,11 @@ long long interval_runtime_rule_count(void *interval_runtime)
 int interval_runtime_scan(struct interval_runtime *interval_rt, int thread_id, 
                           long long integer, int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
     if (0 == interval_rt->rule_num) {
         //empty interval table
         return 0;
diff --git a/src/maat_ip.c b/src/maat_ip.c
index eeed055..2f38b98 100644
--- a/src/maat_ip.c
+++ b/src/maat_ip.c
@@ -597,11 +597,20 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime)
 int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type, 
                     uint8_t *ip_addr, int port, int vtable_id, struct maat_state *state)
 {
+    //clear compile_state->last_hit_group
+    if (state != NULL && state->compile_state != NULL) {
+        compile_state_clear_last_hit_group(state->compile_state);
+    }
+
     if (0 == ip_rt->rule_num) {
         //empty ip table
         return 0;
     }
     
+    if (NULL == ip_rt->ip_matcher) {
+        return 0;
+    }
+
     struct ip_data scan_data;
     struct scan_result ip_results[MAX_HIT_ITEM_NUM];
 
@@ -619,10 +628,6 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
     size_t real_hit_item_cnt = 0;
     struct maat_item hit_maat_items[MAX_HIT_ITEM_NUM];
 
-    if (NULL == ip_rt->ip_matcher) {
-        return 0;
-    }
-
     int n_hit_ip_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data,
                                          ip_results, MAX_HIT_ITEM_NUM);
     if (n_hit_ip_item < 0) {
@@ -642,12 +647,13 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
             // item config has been deleted
             continue;
         }
-        if(port < 0 && ip_item->port_start!=0 && ip_item->port_end!=65535)
-        {
+
+        if (port < 0 && ip_item->port_start != 0 && ip_item->port_end != 65535) {
             //If port is not speicified, an IP should NOT match rules with port range.
             continue;
         }
-        if(port >= 0 && (port<ip_item->port_start || port>ip_item->port_end)){
+
+        if (port >= 0 && (port < ip_item->port_start || port > ip_item->port_end)) {
             //If port is specified, the port should within the port range.
             continue;
         }