ftp/main: Skip get_pending_command() for intermediate reply lines

Intermediate lines of multiline replies usually do not contain valid status codes (even if servers may opt to include them). Their content may be anything and likely unrelated to the original command. There's little reason for us trying to match them with a corresponding command. OSS-Fuzz generated a large command reply with very many intermediate lines which caused long processing times due to matching every line with all currently pending commands. This is a DoS vector against Zeek. The new ipv6-multiline-reply.trace and ipv6-retr-samba.trace files have been extracted from the external ipv6.trace.
2025-10-08 01:28:20 +00:00 · 2023-02-20 15:32:27 +01:00 · 2023-02-20 15:32:27 +01:00 · 1b3e8a611e
commit 1b3e8a611e
parent 71f487bd20
12 changed files with 128 additions and 2 deletions
--- a/testing/btest/scripts/base/protocols/ftp/ftp-multiline-reply.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-multiline-reply.zeek
@ -0,0 +1,13 @@
+# @TEST-DOC: Tests that c$ftp$reply_msg stays the same over a multiline reply.
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv6-multiline-reply.trace %INPUT > out
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/conn
+@load base/protocols/ftp
+
+redef FTP::logged_commands += { "<init>", "USER", "PASS" };
+
+event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) {
+	print "ftp_reply", cont_resp, code, cat(c$ftp$reply_msg);
+}