Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 01:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fixes for various btest issues

Browse source 
- Fix handling of truncated ethernet headers, fix core.truncation test output
- Update commit hashes for external private test repo
This commit is contained in:
Tim Wojtulewicz 2020-07-13 16:46:39 -07:00
parent 1c3ded7dd5
commit 08ceea8de1
3 changed files with 25 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/packet_analysis/protocol/default/Default.cc
View file

@ -17,7 +17,7 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
// Assume we're pointing at IP. Just figure out which version. // Assume we're pointing at IP. Just figure out which version.
if ( pdata + sizeof(struct ip) >= packet->GetEndOfData() ) if ( pdata + sizeof(struct ip) >= packet->GetEndOfData() )
{ {
packet->Weird("default_ll_analyser_failed"); packet->Weird("packet_analyzer_truncated_header");
return { AnalyzerResult::Failed, 0 }; return { AnalyzerResult::Failed, 0 };
} }

8
src/packet_analysis/protocol/ethernet/Ethernet.cc
View file

@ -15,6 +15,14 @@ std::tuple<zeek::packet_analysis::AnalyzerResult, zeek::packet_analysis::identif
auto& pdata = packet->cur_pos; auto& pdata = packet->cur_pos;
auto end_of_data = packet->GetEndOfData(); auto end_of_data = packet->GetEndOfData();
// Make sure that we actually got an entire ethernet header before trying
// to pull bytes out of it.
if ( pdata + 16 >= end_of_data )
{
packet->Weird("truncated_ethernet_frame");
return { AnalyzerResult::Failed, 0 };
}
// Skip past Cisco FabricPath to encapsulated ethernet frame. // Skip past Cisco FabricPath to encapsulated ethernet frame.
if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) if ( pdata[12] == 0x89 && pdata[13] == 0x03 )
{ {

32
testing/btest/Baseline/core.truncation/output
View file

@ -3,78 +3,78 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-19 #open 2020-07-14-01-19-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1334160095.895421 - - - - - truncated_IP - F zeek 1334160095.895421 - - - - - truncated_IP - F zeek
#close 2020-07-02-14-29-19 #close 2020-07-14-01-19-19
#separator \x09 #separator \x09
#set_separator , #set_separator ,
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-20 #open 2020-07-14-01-19-20
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1334156241.519125 - - - - - truncated_IP - F zeek 1334156241.519125 - - - - - truncated_IP - F zeek
#close 2020-07-02-14-29-20 #close 2020-07-14-01-19-20
#separator \x09 #separator \x09
#set_separator , #set_separator ,
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-20 #open 2020-07-14-01-19-21
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1334094648.590126 - - - - - truncated_IP - F zeek 1334094648.590126 - - - - - truncated_IP - F zeek
#close 2020-07-02-14-29-20 #close 2020-07-14-01-19-21
#separator \x09 #separator \x09
#set_separator , #set_separator ,
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-21 #open 2020-07-14-01-19-23
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1338328954.078361 - - - - - internally_truncated_header - F zeek 1338328954.078361 - - - - - internally_truncated_header - F zeek
#close 2020-07-02-14-29-21 #close 2020-07-14-01-19-23
#separator \x09 #separator \x09
#set_separator , #set_separator ,
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-21 #open 2020-07-14-01-19-24
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
0.000000 - - - - - truncated_ethernet_frame - F zeek 0.000000 - - - - - truncated_ethernet_frame - F zeek
#close 2020-07-02-14-29-21 #close 2020-07-14-01-19-24
#separator \x09 #separator \x09
#set_separator , #set_separator ,
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-21 #open 2020-07-14-01-19-25
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek 1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek
#close 2020-07-02-14-29-21 #close 2020-07-14-01-19-25
#separator \x09 #separator \x09
#set_separator , #set_separator ,
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-21 #open 2020-07-14-01-19-26
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek 1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek
#close 2020-07-02-14-29-22 #close 2020-07-14-01-19-26
#separator \x09 #separator \x09
#set_separator , #set_separator ,
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path weird #path weird
#open 2020-07-02-14-29-22 #open 2020-07-14-01-19-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek 1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek
#close 2020-07-02-14-29-22 #close 2020-07-14-01-19-27