http2/detect: http2.window can now use index

catenacyber · catenacyber · commit 366e49ffb587 · 2025-09-09T16:11:13.000+02:00
Ticket: 7480
diff --git a/doc/userguide/rules/http2-keywords.rst b/doc/userguide/rules/http2-keywords.rst
@@ -63,6 +63,8 @@ Match on the value of the HTTP2 value field present in a WINDOWUPDATE frame.
 
 http2.window uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 
+http2.window is also a :ref:`multi-integer <multi-integers>`.
+
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 
 * ``>`` (greater than)
diff --git a/rust/src/detect/uint.rs b/rust/src/detect/uint.rs
@@ -603,6 +603,26 @@ pub unsafe extern "C" fn SCDetectU8ArrayParse(
     return std::ptr::null_mut();
 }
 
+#[no_mangle]
+pub unsafe extern "C" fn SCDetectU32Free(ctx: &mut DetectUintData<u32>) {
+    // Just unbox...
+    std::mem::drop(Box::from_raw(ctx));
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCDetectU32ArrayParse(
+    ustr: *const std::os::raw::c_char,
+) -> *mut c_void {
+    let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
+    if let Ok(s) = ft_name.to_str() {
+        if let Some(ctx) = detect_parse_array_uint::<u32>(s) {
+            let boxed = Box::new(ctx);
+            return Box::into_raw(boxed) as *mut c_void;
+        }
+    }
+    return std::ptr::null_mut();
+}
+
 #[no_mangle]
 pub unsafe extern "C" fn SCDetectU8ArrayFree(ctx: &mut DetectUintArrayData<u8>) {
     std::mem::drop(Box::from_raw(ctx));
diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs
@@ -164,40 +164,30 @@ pub unsafe extern "C" fn SCHttp2PriorityMatch(
     return http2_match_priority(tx, direction.into(), ctx);
 }
 
-fn http2_tx_get_next_window(
-    tx: &HTTP2Transaction, direction: Direction, nb: u32,
+fn get_http2_window(frame: &HTTP2Frame) -> Option<u8> {
+    if let HTTP2FrameTypeData::WINDOWUPDATE(wu) = &frame.data {
+        return Some(return wu.sizeinc);
+    }
+    return None;
+}
+
+fn http2_match_window(
+    tx: &HTTP2Transaction, direction: Direction, ctx: &DetectUintArrayData<u32>,
 ) -> std::os::raw::c_int {
-    let mut pos = 0_u32;
-    if direction == Direction::ToServer {
-        for i in 0..tx.frames_ts.len() {
-            if let HTTP2FrameTypeData::WINDOWUPDATE(wu) = tx.frames_ts[i].data {
-                if pos == nb {
-                    return wu.sizeinc as i32;
-                } else {
-                    pos += 1;
-                }
-            }
-        }
+    let frames = if direction == Direction::ToServer {
+        &tx.frames_ts
     } else {
-        for i in 0..tx.frames_tc.len() {
-            if let HTTP2FrameTypeData::WINDOWUPDATE(wu) = tx.frames_tc[i].data {
-                if pos == nb {
-                    return wu.sizeinc as i32;
-                } else {
-                    pos += 1;
-                }
-            }
-        }
-    }
-    return -1;
+        &tx.frames_tc
+    };
 }
 
 #[no_mangle]
-pub unsafe extern "C" fn SCHttp2TxGetNextWindow(
-    tx: *mut std::os::raw::c_void, direction: u8, nb: u32,
+pub unsafe extern "C" fn SCHttp2WindowMatch(
+    tx: *mut std::os::raw::c_void, direction: u8, ctx: *const std::os::raw::c_void,
 ) -> std::os::raw::c_int {
     let tx = cast_pointer!(tx, HTTP2Transaction);
-    return http2_tx_get_next_window(tx, direction.into(), nb);
+    let ctx = cast_pointer!(ctx, DetectUintArrayData<u32>);
+    return http2_match_window(tx, direction.into(), ctx);
 }
 
 #[no_mangle]
diff --git a/src/detect-http2.c b/src/detect-http2.c
@@ -414,17 +414,7 @@ static int DetectHTTP2windowMatch(DetectEngineThreadCtx *det_ctx,
                                const SigMatchCtx *ctx)
 
 {
-    uint32_t nb = 0;
-    int value = SCHttp2TxGetNextWindow(txv, flags, nb);
-    const DetectU32Data *du32 = (const DetectU32Data *)ctx;
-    while (value >= 0) {
-        if (DetectU32Match(value, du32)) {
-            return 1;
-        }
-        nb++;
-        value = SCHttp2TxGetNextWindow(txv, flags, nb);
-    }
-    return 0;
+    return SCHttp2WindowMatch(txv, flags, ctx);
 }
 
 /**
@@ -442,7 +432,7 @@ static int DetectHTTP2windowSetup (DetectEngineCtx *de_ctx, Signature *s, const
     if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP2) != 0)
         return -1;
 
-    DetectU32Data *wu = DetectU32Parse(str);
+    DetectU32Data *wu = SCDetectU32ArrayParse(str);
     if (wu == NULL)
         return -1;
 
@@ -462,7 +452,7 @@ static int DetectHTTP2windowSetup (DetectEngineCtx *de_ctx, Signature *s, const
  */
 void DetectHTTP2windowFree(DetectEngineCtx *de_ctx, void *ptr)
 {
-    SCDetectU32Free(ptr);
+    SCDetectU32ArrayFree(ptr);
 }
 
 /**
