From 1356c98372c09d83f664a11e56e4401df3969931 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 30 Nov 2023 14:47:14 +0100
Subject: [PATCH] detect: negated content matches on absent buffer

Ticket: 2224
---
 src/detect-engine.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 4cf145df6e2b..dc139e2c78ef 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -2192,6 +2192,12 @@ uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineTh
     const InspectionBuffer *buffer = engine->v2.GetData(det_ctx, transforms,
             f, flags, txv, list_id);
     if (unlikely(buffer == NULL)) {
+        if (eof && engine->smd->type == DETECT_CONTENT) {
+            DetectContentData *cd = (DetectContentData *)engine->smd->ctx;
+            if (cd->flags & DETECT_CONTENT_NEGATED) {
+                return DETECT_ENGINE_INSPECT_SIG_MATCH;
+            }
+        }
         return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
                      DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
     }