From 1db7a222a02e30bf8faefd6140cb68d2f65a0b72 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 15 Jan 2020 12:43:16 -0800
Subject: [PATCH] Handle invalid Base64 encodings in FTP ADAT analyzer

---
 src/analyzer/protocol/ftp/FTP.cc                |  12 ++++++++++--
 .../weird.log                                   |  11 +++++++++++
 .../Traces/globus-url-copy-bad-encoding.trace   | Bin 0 -> 21556 bytes
 .../base/protocols/ftp/bad-adat-encoding.zeek   |   2 ++
 4 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log
 create mode 100644 testing/btest/Traces/globus-url-copy-bad-encoding.trace
 create mode 100644 testing/btest/scripts/base/protocols/ftp/bad-adat-encoding.zeek

diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc
index 39d034c616..97ce54c481 100644
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@@ -224,8 +224,16 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 				// framing is supposed to be required for the initial context
 				// token, but GSI doesn't do that and starts right in on a
 				// TLS/SSL handshake, so look for that to identify it.
-				const u_char* msg = decoded_adat->Bytes();
-				int msg_len = decoded_adat->Len();
+				const u_char* msg = nullptr;
+				int msg_len = 0;
+
+				if ( decoded_adat )
+					{
+					msg = decoded_adat->Bytes();
+					msg_len = decoded_adat->Len();
+					}
+				else
+					Weird("ftp_adat_bad_first_token_encoding");
 
 				// Just check that it looks like a viable TLS/SSL handshake
 				// record from the first byte (content type of 0x16) and
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log
new file mode 100644
index 0000000000..a64ac860c3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2020-01-15-20-41-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1348168976.514202	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	base64_illegal_encoding	character 32 ignored by Base64 decoding	F	zeek
+1348168976.514202	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	ftp_adat_bad_first_token_encoding	-	F	zeek
+#close	2020-01-15-20-41-16
diff --git a/testing/btest/Traces/globus-url-copy-bad-encoding.trace b/testing/btest/Traces/globus-url-copy-bad-encoding.trace
new file mode 100644
index 0000000000000000000000000000000000000000..1a6d84c9ee5f5a60d2b989ddf6410e282bfa2628
GIT binary patch
literal 21556
zcmeHvd6?VO*{^4kkOT-@Sj!el`G6W?t+rgCM4KhqmStJ8B|8-GDtVI^*_N%)0!dj4
zW#4HjNui`=3#F8;tfdgPvb6MT%l?(N>}y-f&OP#ELT2F0bD!tl-tYd=d7d*fKAw5?
zp5J-T?_JJ0e&U|%*G&56`li1={nY21057&{E>FG)&-F#Y?_OKr+yBDrJ_6sjx#-3P
zKGx?ubj=ORe9N}D{FS?Y95z5Jzw+>wAHJ~usogwDt0%(?UXA;FlXK_YFn4mnmcEdC
zjn_XhXU=?2@<GT9$zz#Q@;%8upC>tTsVCKwzU7CnJiN?27y{D2w0Z~P%tzO5D*4(&
zJ?Ybu?*)=6@FcH&PG@Y*&&N8yJxk{=0qO8@+xhI^nLx*hvA);(Lf0PZ>3a6+`M!&Q
zG_OsMf1|Fau3F?tyoZ{lE9~id+^)Xv1v^hmT(>9C^I8OfmgF04GrxrER!b2zxkM><
z2j%XP;8GY{a)41R2C-7XIA{rsVhE1II6@pupa(8l&NW(vzP&_kwHozmZwbB>S&DpP
zNw=IYjg~Ij(o^)rHS;$&^c%-Rf9nf|ezG@oY%s0piZgwob$faeg|+j25*W7EJ_jbb
z=BBa4KYgLZU48cX56zTFrd56krzm7nm{NE-5WmS>&9nk+)iz^fFPw$!$pG2?fx=zP
zoEE=sZ(nG|nV!PR4fB0Hpsd$EH&>Na+m0oAHnpi;O-TfEb^e_jC4SkHh@#k%v|Y7~
zCHa2OEL**5G2g4UtR=lsyL`wJk|EV4&A#1RQfW0BEoXWf?warWFYtV?eGatWuDN*(
znluZv{ecDE3hc!`eC4zbD=q-j@a6GCB8EtjoK2A=Wsy!q)(}WG8a2V93A8T{Mtx&g
zF4_^ao^C60B-jk50-RxJMAIQj$slo(F~}-O^CXidO_J0|N+fB6bV)`an+BaD*)*9V
z$pIP7lCn%jND_RLNrfcq-V5-SK~e@#B}o7sNS35U@M8$RJka-eaK7)AdA@O*4f?#N
zS8eAF`1UtufqpBP#{0lDx?BEqdcf-r0H9xhqWBou!^VSV(zN%a=|QL5COb-^mF6JZ
zmO3~|R9d}`*a<jk!CyxFP^8(<#SM~7$RtTuJY`w%3s9EIGNi18X@_L{GRgJ~l9p7O
zCTnTOFt~Dy6lqcxKw}+7&PHRcoL~-$3Gg~X$)uw(Y(gY$j)c=JZHjCPjka?PtBMpm
z)i)GlDP%avS{XOPW!w_O>LQh%eorbQjb4!(He`tHWwoJ`=hz{qk~(E1G88GQEL*Y*
zNE9xPC^fIaPJv4s;BOt?EG9%%a3s(~wKz)DSX>+Ti8K3Zlp@NILpxa}Bg-+?N%6&I
zqb{aIhn2^Dan@<`1uk4I>4|hsPe5X-2ux}EJ=~poZibN+*evi=E31AsJ`#*C&xPF*
z9p3OBO<69Ppp1IQtXH|P15qAUz}%=Bz{|+iX(P*$cE{G`n9xyRnk(n3P9>ZwnUSG^
zHP{>>b9Kdlds(U)mdc7*qS8VvqRM_AGs2w?R96|u?WlDgi55e3m1+un66T9}IXXbQ
zVy+POH~JjTD&+`WNV`x7>So%_d@ZSp@j}e4ItG?dA*mK|`$~)E?Wo(u`UEpnqlpF-
zvMZy$qAH2H9j6CqmW%>BbAYYn#f(UeF^gt}oIqv^m~5~V7#u?ysw0vRM=Kpp5eg_H
zgMK+pk{CykeAPv$aIzQcCz^59tw)T0cu>mtQ~s1W&=9)F)N-k^qEeb4R|2MBx1l~l
zM~5`q#|AJgC?direyvz-TLc~$@JWa8GnJ&8>j$txTFs>8Mo`trQW0rdIX8*hnT!QP
zon$+egD|HSaKyS6>chD1!08&(9zeOSW>-q-x|Gu-qRsVlT_~1HSe6JDLlhMSfiAkh
z{!1f+bOeetgeWO>7)a-YUJD1d{`ql=5o5@xWPHkITPnqtMtMyhvM!mL>a$h4zQK;+
zRHKN>!-z{}rr%?%M7y9<b}pTu;#$Nma;7P!>P}?JW*K%!ZLm+#NN-p#0-K;j3ey>t
z9f?dGG!_+AV<a|OULOkjhLZPls_%bnof<h}Hg5pi0JNKhNKxRTWDD3xyq0SRhLqWc
zGs$SVpz^Y2G>9gz(*cEqXe3Wp1ANZ(>qEVpbnN<wbVPe-gz>B$$s*lkoU8;!y&$J_
z5_t+Q_GqIo_C#Q=)hg$TVpM7cpt4Y`XNPRJXu2h`BXyH}D{SWwjllFqG#(M17{m05
zVN7yM)z+xw78tt#g$X|-Suz(Jv=odQ<O&7Sb2ubdOQ{qil7z=&CDvi7fFnml61-O-
zJm$XuFn<|Di(Z?}{1e)$?LFrIWp^g?qlGc^@9J|`Z!wek9o}Q36eLkpmW^;C7ZRal
zB&=6E{UXb2aZIilwUS;1y0ILs(VRkZoSy~OE6XgfVv_nCBc;cTWXL385*9DuLDeY~
zo9(2P;A$>ZQbZy%AXTGfTTH^=t2cyl)24<*qimCCk|jtjS8N7j?x33vA%ceSZBb4T
z9Wt(_YMD~s>Y-7ggf*lRmaOAi9BNX{u4tyaMyClzkWm{+WSBLfQN>LLX*{p!DLo^Z
zM1xHQDFf9+6T$SM7D|Sa^==>*NjecaH}+Iyf&m_klD(Bldfpp+9d_7M)WkhBBWju%
zm1Ape8OIl|&x$YZTV`S>0C&6kpi`$oUvV*rFAngg@uWY@aNsi}&U<>zt)9e7ng32=
z+TJMf5>MjBh=m#uagr>AK*LB9I50puaR!i1PManjHqoVqEHm4YfN5hW^Izc5B$0Hc
zopJ;?!&+8zhHQ<LryVh!ZVw7o;Dq&3Bkz*shyxA98i|88Ot|t$tVQyl^|4Mul~J!x
z<kSE6$x+4}hMacL84w^O%mTwIUM%PZBETs}m1ejvL=x>1lIe;m0l2X7-!rUJ$3egV
zi>`nJTXOWzVeC2UL>%BOkad>q4F<V(%uHK3I8veYB2T!5W=2U@Tg5@M-o{lyX-BaZ
zk&tPot<>@KU>L>WqKfNmj<i5z(Y7kXlE3J>W?<BmkzB~l+OhzGE|O}EKp^9iCCV_m
zl;H(bMT!AV6_ANH9}b8VgqV}{oGBmq;s6W~DNDx5vXr($1;T`Cq}~Vw{q2swK%(&k
zPTGdr50$#zLA(~=39}r+%FWh56@$IVuvuwF`IcTrs@;C3>dJYVwF1GOKNW^k{-L6~
z4Y$d(VJDdj2a?H}LzqlCJir>MNEYZklEP*g!@?Gt%|?(|Ua6$ye7FVKR%V2S7@|V=
zQbo-#jqs7qR$M8l+exr?>jnrcqb#s_s+$K(!eD8y{eSIPUDgrdv14^NI@_r}2Lyxv
z*8^at20Y0)0JcF~1cGNIV$ZbUMy!BfUNC^>G~4;#bFw2gRKtQJyB%m&Q4KZwiqZ`P
zEGH`PaXI0~`cWpEYdKoTP4Z6L9||YYB*`T+Bbmr#+BDo?03{H*D<=a+J?)|c$u;$G
zn(nd<GRop9xx$3RctFcom2Q$VlMN_evtnv6M9RfZs7eOo92vsNq}m?k8N4tknr##Z
z;Z8TH<O5VN5!F!1VVeU4o_4Ykl^iD$U*OVM;&bbE+NIHQmjD46H>erGd>AfOkt|JM
zfwDg#R;l)&Cg#a%AaB%DJd|z~i#8w3vW+a1q61|tE#i%`$NU!q=C6X(&1<uB)p^U;
z{9?@fznaPX|7DGR$*#WD2mWCu^T*T#0Sz;_+G*t!wO8bAo)x=#v>`;~1O(#KGVF#q
z7NH3$nhF_lzUEK1tJ$a<>a|Plp<;pPJx$oUMNqL(7l+f)j9-Y+{)A&?w5nK5M%iRN
zPzz!WkiM0?@YNE*D&vdO=^HIG9U~kWR^xd|Rlm@yWd8+TB_~qFX-1Z((?E}v$KkF*
zF|s<_ldzari;g`>!Uf(%tpo2e)%QOZW(!<pHan41=}m%UXsRm5C_|<(Bwr!qY`&CH
zM|u+)LXlRq5;b9G02v9g*ECv#A(E{$h)mEW;!)8MnYfrumbEygB|7fN;R8gsY}Pw9
z%_!?}xfQR)RZvI~TBhwXwAx9A`6?gf#8eCwKnfA7b=+YvS>Q^IffT_NWvGg@;e-aF
zQnS%)N3@EF6XL?jO0vhaA*$L9vVF3EXo$1H`#@<&cFCm2G<<3ty0VlC7+K~6A_a{@
zTgH$zib~a}zMEi%l?>MDS`-CW{Vb0OXa;LBUW(H&%(_9D1Jf%Lupn&*rHSI~u-_{e
zjJ;J-s6>Y&saz*GG}=*dH`OA-e7cs56dV?d#iNc}>E@ye-|mvdN>uNX33r$zBTYTp
zuiBv?EQPC)J{441rV=w~2+G2Gp&crX6uul)tulj4nQAy{<T|d9iD9vJlcF+dTn*cr
zP!cV|^&5Sy-heW&+NwlTY}v>r;F?hCM~F<{^}Bd1FfvtwlAE&TrM@O843UCB8qpNm
zZ4@!U9KBHvVcVTdu?00py-e93OBThDR2G7CS4`F!!Nhe^3bGxtpkc9GS7n+^E?5br
zl0%Y;x&gB^kU}8I?y^y<BqP;AmF?z7N-&wFrA8^+9rC*F=B2P^hcvgR=f!NWpH0{4
zHeNO3CKgoDe%kgc8I$QEX*gc1<7QEbNAqg1>NW;t79W?0*lZGn$~36-43edWiwjt!
zRz(?wlM+ZJo3xX0w~`00pAU9pbj8n`cCi*r>vme|VyIe<1xHRKl4h%=>_9NgY6RD7
zB{n3J36@4V64bxEREVXf%28x9LqJ?dcUxH1)hr{G1L_G)bL57zL^WR5<Jplh2zBs^
zT*5kLK|}_K+eS<^0Hq1kZ4euR_{#zDZl?6PgGapgoI5jf!cKT${a?=mLHyc%)=d-d
zIzOnHUE)#sn=j7ybwC~8YqN8)xy4nBJ&AXgzEI+>zO~mJvr%HelQ^>q*K2{&NL=%>
z5b#sRJK?zANXmR9popk4w2C8~Za5KLQmjzgw(=&@W8#P=`mIJ)>{C!uH}l1Ku~vcG
zCJ4g<aZXYyiBemk8%8C>by$}jL|~~>GNg{JNkTkUab%c)+8`*6A{@d88AJ=X2<LZP
zkw|FppdZ#7d1oNP87yBbHN;jh#?i%MeyD5dj^8au`#m5C#Auq9PAROZx8(Ye9MN(m
zoUR1oP=;dII$H9F+(;TC1*yk(LJ;rNMY0k?lw7QgwxW7ZN)#$opd@vmZoxw0^@3hu
z@x&;s=L?o$_R{tUB?=Upb{uCg=;X1sA20P<RzY+N1DmhZSh_2WIDeb5MAp@qs6CL7
zN=@N;1NbH+sI{x2X_p5zG;R+n5twQ=grP%fAjD*ZPCsm*`iL!ektCJuG_v`qGt9Sj
z2bX{s3~9lf?q|EHY&1m;WdsSP@dA<_x@njUhs2D6r&6tCziT0o1yJOI5|P&uW!h5d
zD#e0SvsTmsMqG{-GQ1LG8ihUtsEEzPI~rv$3=BDVq#sGq;Z%d}_=En6D-`PC#sDV-
zP0rEP2n=%o@En*|L&zscsX2(^-5k}4c3W|?tsq#u-O_4W#fdfQ=BU{jIq{%VNGPL$
zCKqfXWaOFQNc7VkIp`uf)uW*BK#5eVbSQyaN|9%=k>1Z!N=w7gSgp~Ch6hwD<Oc9|
zl(ve@AX4sN$uifB4vd)77fns&{T7=NBMBpG>HUZ_K+;sb!KQ08Cg%(JbfOL!RuYS&
zNiGA&MyyZ=`CLN4yOp}yD<#BoDwnHtq>`5E$A>D#rx0>f48~o?4JuNBN7+s{gH>E3
zUBcyF)v&pmf|MH2C<ON^WJxC|p{-%E<b+%OzK{)~1TV$>#bG)NitJox)Xld?eom6(
zz%Pld80&Jil0nKMOrygDPY?SUx{t_p21!tw6W6d*BN0xvI>s;!_e516q(zYnnu8G0
zFhp5U(n-uBCC5s^<)%~YXKN%`*1OG8I_2ttrk)72q;_mb7X6~;#*?uEt-DTC&AQ?s
zM~-Gu8r*D3y>haO>V$}9L<bqg;eM%O4V*rkXViY#pQ$$O0cLhFL>^WZv6xM1Ig!Uw
zVH9;@^$nEPdSkxtn_$nwYqMiXUu(^69symxZe}d`*YlQ{#0_BI<HiEmE}7bSTX7kv
zA_S(Y2oB(0n#}7>&CkIFiNok*-GZZGs93SEw8;quj2A}9o?FFh1(6&W(?yb7c3a?k
z8C0dbHk%D6o?5k|r_9~2&SXR42Eeb60cF;{|ID;9>%ivXipxG@Lr)=<QipUi$pDY$
z=TR~NXV`eF1>0F8mBHmiMz7_nEum({8g8eZYj@LXC)0Dwu|}lSsjC%z7>4q_P9xqZ
zRcl?93>1Yb3o@JpMe7*JRw^YHv!JMrR?$)sO6C+jU^XM+9ASuDHA^cMBSKQ`w#7Jc
zDO3zcT)ZvgF{}k*{Xl@B#W*g9`ZbuX$1z7z8Z=rk!eX!;9%Y@Fu1kS%F_kRkpnSW}
zv1u#lYWY?ws0~WhQd(;<s#b53A!JyKIy_Uub6_7tt%|f_whTO?4)tuY3D$aoAu9z6
zZbDt6L6k>BW*EsAjLOJnHMJ6=6CE|f+X8H~!>QpAsmBs<SRbHBULmvshgO1llUJ~E
z4a!ygX4{WqLa~IJ(Gs3W4U%xd4mo5t%f`?E9WyF8r3MQv4&!nKHa}{`X+INGBUPj`
zWRqQ@&^BDNk<ME7RCR38J_~$@&GC)fY%81-SaZ8K@oT)zs7>~)|N7W6^J~k&#Q*wd
z>!&Av#dW|65B<yvYm|{r#`$_1)BOB!1PMX5U^UwPI03`{L6|}`5-Y@zQMlZQ(Ks)T
z5<yFdkdoe!al_PkX`p1uNDr;pIjBG-#6+<%9H1e8kxVwESj=pNLS`%8ajkr~$YA9`
zI@QVrEys+M!a;?B%&??_Erx_1EDAVM?S~S@o{CZ3HrYW+NM7of+jw7ZS{SRcsirO<
z5vGggWi1^;YfTJn`)M|WBhgGzt7N1|#7v=n76k9+sB9pumQjTR;kJTTSvFZ{cH>c+
z6X<Y-$hG)}k<Ot`-C%H75Nf$FiPa)TcK{*LT8od=dSWtDAF_o&2T4(lxEzd2d5sX2
zV3Y4lHPUV+LY*3~Vp4_78dkZH&mu*h4uB$Ty<Sgu_-r07G+QM%>Bj9^SMVbO8Xe^F
ztuzmpf&~UqdXzE(5Xe|t?HYC^imG%#&`csy73^}KDxxM>2HlRN@v$VM40}QyRr{<k
zXok!I(LwW7L+N&zieV>Fg3Z82l~6@4+mF<3lPtnuOO1_~=}fB(%2Tc}Xv38NQ!N)u
zCA>y*0**WRc+iYzb4V-EOZNICt<t(03uh6o-AcrCR-((fL7Wa}3$2{isTEo!wmJ0c
zO)+F!Tt1Bom2@FgNTu~oHQubYGb4Qn$I($u(N)OFgd0|$ipyfH8BVEY-Q??eG-c^Q
z)f~v7_9&vp1vz9w@c`N%_JXxcj+d1t8*8=WJyYjKs1O}+%&6;jW01dr(A7a3a;$iy
zQO^zI4TcwpQO4labiNY@8B(FHcaog~nFvLPI+v#^0>M@@22^jg6%u%F%-`~h&8*BR
z@-&Mw2QKhc0iAnoHjDa}uiD95O!w4gvgp^Azp(!0hrnXGBm4aHVp_Khu;_IN*x8-h
z{$E1Q+)uar#bVjEEB(fXJ@hC23w+=x#<<O1#lDqm?il-$i)XIlmmdPFc%`?BC2;a&
zgD?3RSjEfO1id8UF*n1MT(@f{TAJFi<p7CSJ2I>f<3%PRk6bMk;v_Z9lr=QwZ`Ywn
zIhMjgxw3BCu-t`;y}>ZM!PmWe@B-g$KtHd24w!3K?K}o%=UKq4d|~}7yLrG!pPdOI
z0Wd!cqR5nf5vCLFmcTw<eweIDTCnRdcCRR7i5eQtD0D~4aZ;~t(IqJ>Nf{@bjpe0A
zSqxK^c)ybfr+ToKK^tizZ+CKo^iZJaCS_Q}u%{q>LqzeB!9*NYuVbKYyK$0#5?J5^
z(f_!84r^=8onx%8nTho)y8)~}^00oWwGrzZ0M_J2tZ7Qfw>YKU8yJWwHJu^IlA27n
z6fdC7Y<W}%?4GxBNhsNj%NunGd~Jd6a-fUXK8Nf1t9BXVdhje<KLWTa9<CofI<3n(
z2H<+bMqF7EmyuBrQQS<q<a%{rq?X9AMzV=1*~l=2v}v@@v}<a3*se4yfqXZr22*K5
zX1c9Zh$?YnXk-o5kRHTxoK~v19WsnYsVR?h*&&<7@2)X^SI@#vS!Nz`q=(<={Arz6
z+yw9g=L|O3DoqnamQNrNvz?SvMm-#4cs3UI<F><cQEE8Eu&gD@t|}URXL`XF4_n~7
z8YF;Tn~mSxAFSHd)8)>u%*5}IBLRM=dHA7Uo7QC=3-G%M;CJwN-9%_nW-5^m6%O&W
zPC&5?O01BU6-*5kRSNs@0#*;2Sykz^ixgK%=7V%=n9^{w-K3kPWU4Ip#gH{XK%pp5
zrlWmWO_T~9v`{phq!dX>!BQ;-c8fr5t}qynW#f}M26aZQG92&38Ut73$)SS;#BSfI
z>t;poU_+&E@F6f$$(E6^=nC)xe5KM3DuP%hvc|BOa?wJM?bVC^S~oPrwS=6)kV4f=
zrvhDt_Jgn)6U{_WP|H@GEITrfhq5}yNLVh=3TkP&1y=lL+E94CQq1Y3igFwr&qcc~
zlBtwwgJ6VuG@%4?b*P0Sm6iq@M%aqk@n~QqXA!lXheftl36mK)ph!r(%hXF$p2sV^
zP;rZiBo`2e!HzDCD59GtoDz@4Mp@hF77@a7F~kkY0SLykMK9L=OdGn%3w5_t3D;P)
zLpTtO=HoJ#bX-sl;e<dZ;|PU_Yk}iH^$uC-Cvxcm*o}{&33q@MNhL;gxMaBDk49Cq
z>L%5!Wmavc(Jw1u$`AJ%*;KtBu4J?!6gPDwrx*AU<+P2woYfnqM5FvnY)FI)K@3iH
zdx<WWU?5zr#T*+GlSRBrR5EY~Q;1%jgN+!BWe_P*<5OHx2<qiN9fWH65Id^YJ9a(M
zF+yD_R~7ToNVrbed8!?Sw0bEc*U3yc9l#JOpR6%NQAnXSn0d6K+e%W_qF!lb6Ks0H
z!6-_na(t)fz?oK4Dd;kkMazz#HA8;j&U>~KRHGrt7`6NTgdm6wzBlBmZde*sOcWke
zT|L(5MZl?pEXGnyiR7#Tf!lDqT9?u>g&g5<S24@OdNM<_SP^#GZK>Eoi*O=7%14En
z+LSDzL^fg5r8;(@K!s8)QW}af5w@vvUFoVOsHsv$p&9EoA%8z>fyBlis9A*(*mWN1
ztu7hYqXBRzWK{3bHc60qauihi{Zv+nR*6ETLdls-rzE00A#qeg163%jnbyh$2!TWl
z2a9SGY`|_`trD#b)1nzq@ZA<erwu(RhRL*~A?@5qgK9LW7X~^h90idUVK`ZkNtCNm
z)?hV>g+bk<>UXt}VHj3jj}W<L5{vdT<0nk{F`61wi9C{sHb^v!nqh;gb;JP3T>IUU
z6)*#-XbwTMb+k1?>5bg=qr*4Lqj!&a^r~4rdfGDc@cRLG{rP)mOmo+Yn*ooqpYbRe
z98m4z5LBjkn(kUdqKIk5kQBCiRauh?JtGz?jkI!yfjb-h&|AwE_<jlYM7%beN9WzJ
zYBx`pI~L94(ZlZtJi6ZF(cdxCx~z);9=&;^RWf9NjODWJ{18;Z&|XVzr}8A<&RI3w
z9u}FRSgMENb|;i?6dEGca=^L~;CQ)Z%kd6ONk|adbRKCC@Ietf+ZwWgHaHy!V?#fU
zs;QCzldKb?x}(^L;>uNNG<3(O2R7<Kli{9(C9zyGZlwo=&9tJ>AU6ng`9hj1XM3Y^
zP_{|FYoT3bCLc3Qj%qh69Rl`KWUx0FIW{Y}g#d0+sfZqT1{yhvTLh8p5v*;;L(!2G
z;d@lSPsdb0RE$<<SRy!ohoQA0i<-U6&}GxQQ%@#F=}5(|6lj<b**-0z{z0z^CmZ9r
z`D_GK!mnrAYCg-<EhiNW=-o73>UVpDUQmOEWX1|zu?&YwZU-9|1wQ*vCI?fQV4@dq
zR0OiyFQ=J$y3dqrT0lTDAT7v5da|y_p;}v?g&Hjn#BO|80xUM@Qsq_w9pPNHWs{vy
zDM~9;HP_@vRXR|sR%ShuE)E+#DJWPWt<c8HfO9!6(>C#nBqzeddf2a(vjK`jB$Jsn
zP7-Q#0%SkiOOZ~2O&84&Mu}kOLaO%Dtzes1MY37qZMCP@XFZby8LAo}vz44sOv$)q
z$!biBg41Dktj?q1U_muQM3adbVr%9&V@w{>ki4Kba~V)j)m1&m<Q1zY3S~vqh=P<!
zmGz)iY2_WYswP17-3cNkeF)gSmx*hmZltaVMj1s)?S2JUT$5{d6G}&`CBqhH7o-Lg
zCFoSA1x5UTRisR%CK17y0+aP*dNgb!oqj5+=s|zn%~n8>G@7kctI1p$>llNi$#HC?
zpg<&nG|f^F98s<GgTYuT%7*YL-w4-6W!|mi{Ka6&5uz%@O9e5SE44(sz6k@;WWuEM
zD1=1<H9J@_0LP`{pg>VGL9HcdRFbJ;w3~~_8JzXcLY2v&c1BIw6{_Cu+07o7vcXoS
z!3XI00JTUys&=)smBy-MZRX0Mfu^h~3<MJiG<1f`mCM4Y%+|veU2JKsax(``Nb+VY
zY^8fM=YuAj#X{FC)f)}T1P3j9wKyTmc(l=R6{wKuh~Y5eHx*myYWz&=VJJLMQi%dc
zVWLh13B<@~+;3=|AvoVz5DR9vFTnYZA2K^;08LcGxs+)%np)S=sw7m2wa59+XDf#+
z6l-F&jZ;ur#rQnWrYojhD1)4mPKXFv7%E`n2-GBtc626c3<XToZl!v{s9UgGNiC?B
zivo$I%Do&64vmC}c#lkm3}x7q2XMPK%<x)52>Szk1}C$r1};wV-n4fK6<|3&8iEN&
zkRB+=$Xv&+nH<!v)Oxj2v0bk9BZic(3579|-uB29^a9^@pcv@2*;&rS<eFcOy^EKz
zZBiF{W&JXf<pHCA@Y2RZ$}4UG-X*fpyF}?)#%;qy7LL_wv0^Hq*0C}f7V2_lSjg2=
zRjg;^Vjz7Bqrr;ZwKJoh88<@da3KoTB9rOi=~y8WNq}?7Wus%~2Bm=+;38$IZ?Hk3
zV1`^pLNk2{ccMrEqw5JqXZt0XQ_&zR;_85~^1aGPw-T*ra+G3_YOWlYA_1qQa#_qU
z9k&+1F~n9}e<Oqja1^D&rP3hgcLQKIO=NJ><6{q>1K1hfcjj4qYt@%LeC|oj^mr`)
z!unUw1Nb~a$QwN#2Rz;_z-Bhg6&>w~jSOwu>0*@2x@k)8)N&jo!r%zbAjWp<ez_6K
z6T&DN8{3Sh%L$Pgy39C_=Cjt^GoGuT%$%!NK_!{>vi}c~=S=Ie;#M$M+{U@0DTC`q
zg;p!X7jy(FGvufek&^^1Sl|Rw)*2LL2FB`DYS@cx)TPJGs6@=fW#y{f$G99e3m1^-
zzxt?$%e&v6)@2<JaJh9OE)0d?!BSo92K>c*K}zIGLK4ObX0Z^6qEb~;qj^$=Ds?Mk
zFtj$%Y>L;70cI(*kxE;9zF6EaZ!3fu`pv{@<(glOvGO(&H?iwi9|c%>h3*fYK5kmS
z6~6#j@f)#Xm`c>obc-z|9FIGeY}W^s67cV3q%0?$N*#9cJk-opN+UfxN?GMJs#f5%
zT1|!BEJA^8vguucQ=>EVn~mQdWBd-Ch2LW@tbc7!55L;$)B3Fw0Diyt3_oxXp^lH(
zLX)#0J01woW`)Y@?R;D8(TOq=^1Jz{>re1uD;ddH-KaS#*6UT5kO{jjL=nf>fZvm`
z&Dz?%WBk_6#P78|mzj~hJp8_tn$~ZOA2_Z&oxM{8i_{~dR=uUSRE(*Yoj%_gRU7^S
zlaFTvJrrP);9x^N6CyX-+8<Jztt#y~#%kM{SVi^%SZN+suOZXAtc%USDne?beh|-;
zaz=>KLsTP#1)yP)>t?fbfk}{|&QQrTGbGZF=t`NQ*f^<$b%<`Ga3zy7P)w;qwRpVh
z)=V^JJ2nS)<J6&<=rsET7UmMjprp%D(Jz(qqm6t^XBKSc?%2dqZ!BzQ8rM?}e{yx@
zdDkoXjqi@>=Wcq#YsDR2|MU&7V`fU8X;Fvze4gab?v6dV`jo@Zm*y=4($DhljxBm=
zQ_1V%0I55sC0_s}Z>H*apC|e9v!`{Qy6^Uy25jL%&lc_hmyR}69q#~ZDYnrT7}5l{
z3;c=pD2@#gK9DR4Zon<683~UKENIZHF?o$Eado0cc0@_4FtsY59>o*c3Wv*(lCn40
z>fYLdO%DysT<h3GV2tT-TE7jLo&`ovf<ps#@9`P>#XY7y@8|`-8v(Xno9z{SKc0Zb
z66buOL~vILdSIi(yTFL!JI|T$wSa%E&zVRrZ*F(M<JVkzz<H<NddJ)cjh(jYUH*f)
zM;dWse$iR{cksNg`zFCf!?2I=o$Ncwhx@+m+u66+x1|sDA-;>jWjof#_yWH3eWY(5
zxSqI^ZwKE(-;TcRftp+R=J-AZkD2S+cj}(vBVZK&{b7nL7kQ)j{zYIE<6B=FEP|{&
zzhWN1rQ6F*k78W{Si@Z&E}v8vZ01VSmE)Uf=X+P_zEI*#*^LrqPojqlKI!wpQ@C7o
z>|~Gn;YGx~2W98K7g@UP4R7vlT=w2M?E3F5F@SOUd<((o!1%!Ez<(~>b1UD%-Fypo
z_D${%t(@EiS~+p|>N%4Wlaq5pXTNX)v}lWkUp<jO@t=z(Cg#oaL49};wAB`K(sQ?5
zJlDHn2rq`V_g-$bc+069glgID!Mi{^O?7T#SDWodnI;b&UrL0xfwrD{V_u_G%s1d2
zpzXZZa~3a*f_raD)hX9E=?lXl97Vzy2JN-WA{c?f2n2h5!Q6(IFoa_v1kORnf9HQh
zuT6DD5j2FN1PmRqDP|M%d~;$xh@T{V58Zs$36odfbjl~oUioCvna|fAiyadA!@MW1
z`SM^_o(&)0UZ1-D&Fv5WjSyeD)Od3t_vsZRpE~1L=RETJ$G-mLRv&(A{v?>@iOaqM
zeHmJ^#RC5pU^?bcY%?+O>D=w1ZNVeA0$p<_zL%Vsm{_=}24L3akiOJ$*YEtpQ$JZk
zE&OPYEq8qAyb~`v?SUH#li!Uz_vtbya=o~AaLrp8B((VPpB(pWKX@m%<>JiQ^soPN
z#!b-uZ`{(^=1t!u1gzsAU>)aeu#Vt$o$Y2l2g?7;XJHdd2w@1A`q`H7KV+c)-K5|6
z;U6#mv3kiR>@oX2z4yaUU8J6S%1MEXqoeq@f3p86hvL3fKRPg+`bc<DTl|;KZj;9x
zxYtF`-TU14A0>``uoN_I`@>JCCVd}hZ)ne%lMYrAwB>ZyP7||cV$Si$`wp6adg@zG
zy|d@O6Qg5aeWmvPb)kcvU3UH4H(r18)!T0Vbnp9*eDkC$e)#u?UwOQ9(fi-o>x5^Y
z{OTK-gB~;Y+5gk4zQsKwf4JiXj~wyWZ7yjacImN)zW3HU+dcd4C;Ks(J-68U^mli;
z`Gr6JGk^Txz{@XXx48YX*#6qmL$+Q2%b)ME^Lww|@<3<rhu^s1y1)A-d0;XOFqvzn
zOlD$omX?tIe`YVcLAy+`$95ZTFDqlVSwfSWnh6R+sAneVm_I_}m;Wy;_4rFS9WEdO
zkNH>D7Wfu;yC+`TaNB+Qw)dP5t{mSWzVPvx%)jN!V_yPp5Mx)(Wd1qFpXLMHHwk9@
zwr{`j^{+kn;IS7U{GZS6es=WEPcNP1_qbuvho^pL(TV2W*53|2=D-i{l%9TTi^GmM
z^X+tXt1P{I>tl|>w*6$`j*qT*<dK~|PJZ=Q=T0(z*>Ue}f40@fW#d~vyYJiY_iEt>
zrEBjZAN<A1+nl=VHt+lX{_+E>-?#p`&)RQgc7E_tVcp#?{U-DDYjZFD_~%oGx)bF2
zgM~+*$WNU39yKvBckZ0Yxo>TXgGWa|-80v%@0#@&R$X!X@BVP((E;M)H%~*BRPR8)
zG#PkuCBr=)-J^T=2S*F~<J;Z2;)JdLs+|&l4!ieA<;oLNiQmt^uCw(u-SQH3(c{(|
zD~|YhS8?TAJIHTLu0P|2m%p>pe&fk+tle>K4SnLBdtZEOhwIl}qV9Lp$p-{Z`(;0K
z^8IIgh5qv=U%&Z$-=qVK(+0-*^ptTf^u4m`@y^LNo-WSP_WzBM!UTeNMjC>`o{Jm5
z{1-m?bGEsOCEfhTwI7iuUXniag73w9JFh(IKlW_j$uFAx<LV!NG|0byjCS=$2c5G7
zLLNT)pXVR6(`i>7dfnci`rX~WdYZY{5jPyL6#4DebMOD*?&#KEdFAlO|Fp+h-({}3
z-|lUB`qgj0^zMCw<&W%g?%DUEldHCQ6F%UzXHNO<CBMGzwU%_uhxFQIg>`F|PTYR}
zQ&X12LNv53SlxRr_FUXNXb$)RI1qGfGk52?I~KQi?bqAx^1DA>`QqF?3-6Kd?b{!&
z{+#9c=Fgf-&+-mE>4Ek8{@|RuZ~BkR-~aWO4*h$7-$OHREna!*{#!qH&Dp8FF21Yt
zj&}7N`&VzxyQpiO^2i5Iyjj@!c{jf7xv%<ec>FZY`oS{~?DOn?;b*r!=e$#Yb9CkE
z`_*f=yy9pwolxGr_vGFKA3gfg(wxxK)R&GqmvOgP^q<I{Hy^drFAo3NpVz%}!r>EC
z$&1z&E%N#1ff&o@+Xh6&9xvPscwv(mb9U?vk0a&5%t(2~yz`|kUj{MecdYZKd11vp
zAX1h+i8s|ZD-jt>?0;V3HtT@I)wP>HFY%WCjHq>nj`N<LKs||vKm6ZG<iEdB;(eZu
z0EaC;-O9JchrTV|`*(D)`SADO(Z#=`i<wyxv^fU<cP#MlSYTG-y_ryXbCv{R0neBG
z8Zdtmcq^~XuH#ImCoqrsX|H-et^!Y0hK{@Dd<pmxaF6fJr)Dz$zoUzPZFCXY&ij0-
zWf#!yK0lrR#{1u%+~cfgp4{Wy!p~p5`kb}@S!B=sPB-}bqaNGpkHqA<M~*#Vp78TS
zPCV(U#?rsLSDkDe{QfoXe(#XngVzVVKqa#6SXA(}W8d3x^(`OoP-+In++nBuCHug=
z*B@Um{n@|p#>dWE!ymcs=eK-x?vg75_cPp^Cr}UW&a^+e{d+qs)_)#-{-)En{o{^a
z>0-hY_>~=fzOCOn?BV&>-FC&9KYs3#yYdI#Z2sfUU;OqL?qz$gtgQd2`|<Jnc_#OJ
zU~-!TL^I2<*p=f?{rUd+z~nY5k!`cC^8Ct2K=^WL;gxBVTc?5&*?peG*l`PdNpN)A
zYoANKs4K^xCUMb8Unp@`-=$yQxb3qp<4FXAnS64tZ}LAu0Oy;0?D@a_a>u`HUtD{D
zR`OkyJ>rO0ZhIzu+k@L}`{r4X`FEi9yK>D<)qN+^yFYmADWl|7PoHzg>8<$}K6&v$
z{rStTe{9`r-<Wr-vqnt3@V9>qw?Ff|)<=h(Y8-s=>#Om5@FTzf7QfGJcSro)iA(?M
z>;wOF-tFIfD|XECpWb=ni{JdmKmS+=W$wM~h!5spp}u_X((ms1;W4e(b2rOBIbgv<
zZ&?qmzbkf?a>_rROD%r(^u?_c4s(C|-ar1idd0+UM?Uelt9IS@b!^|cXI}~}_q_%m
zv+^(hIPa+7ef6z>@W7dGSB))SNFBQN5#!9k4<`@#*!ZbG*xu<Y6AxRzTf5)E&9A1v
zPCRhQxzNL3{sTHU`>WqC*>~%;J6OMb_QQRie`xWA>q3tCcJ%t~-n;+%3tvC|#w)(L
zf8&t&eSi5||LO<+cI4ah4&41a(&DSzqfdgh^%veG-&3mTS01qCeJ8eGoOgHnSo5r>
zFWLL-?+Pp6(<8|@e*dm?M(EIQyt<ot*%g0Zxa!`(FH>JR)OzO|`!Dz?FuD67$3FGU
z2mI3y{O0_duKg2}EBE#$AN%{-o!(o%!zarRKW6EoJ>LEG56_#k-}4Lc`}lXR#c`37
zUaimnjT|f=b<lmk{hqkP33hb{a_Rk#p2hEn46a0;`tx<l_D6s1syiNjYPXE?A3tKg
zzw}IW#nPRLwckEv$I0(~_oXw>KjPNIKX_~3{3{DTx@+=E^!@uEdGemvHjmx*_6K%o
zfA_&tF1qTT%yorVKRoik-g_5cy8Myd_PpXk>hQlEaS2^N`NkKmPrInR+Y4t$zDXbV
z+G&~A4fGjT9f59t=D9yEV8e%=*x}0hKli%x0DAti>Rm70`!f0dUH9G&oj3W;DdZ<#
z?j3#inX9vpz&|k`Klzk<RtEy3?eE`f`L0(zbn^w<W`6eUb}#Kw`%dclZ9a%EeCO?x
z?$jLanWMk-?(VnWJ@=B|-0=3BcZDwd75>7TrMJGj$E|m-e>W}ez1KGnd-%7%yZ1LY
z4Y(gP&P^?TA%5}vvv0S4b7|^=ch1<F5-*EBwcD%}`@0+dc=2CPcw%|{v=7fc?}slk
zM;_{&_3?S+Estm6`Oi4-jz4toFW+9^I|3{Qug!K6zQhDRPB`?LPGaRF=S$n)4xGe|
z2b?&)Vplu}(u2${fGl=`UO(ogQ?J6_+r6CM<@DC;Tg~YOzOuqw%l?yQY^BU(hn1`L
z@}70i*QVF<)Cc@UE(BXyKk~M+&H-81)K<zm9jxU$KHK(VA|o=HX+TXS4R))lk!psP
zifMinYKB`OE!$0I(wS_m8mq<Pay_BO!&N(0bB7$%G*Y7?-trDmdHVen=%)Z2yf&L_
zeC(Awc=~;R)wF(7TL#<T4%q7@px>p^6*KgEun0beuU9TD0VVQr8GZbSWv6VGAQz7x
zan7tqJTiX7_P$GxTD$QPSpdO<p3--nwpmd39)lX5mbd}bzfObtYjmT;+)PlZc7}#h
zaumW*)9UdQMbLwW+RYEN_Q1kwema<=i|zKP%n=EuO$P?x3PDZd8zMO68XqZn?{tQz
z-~7{OjCe-=>BA<1o_@3U{8qjM4D8Y4w)fq5)MqF79s&lYdlHw-lsMCjuq$^QW9aS3
zZQ^9Me-vQoW!;w^b@_}DKjcZ={*2A(xMsa4@$%<@#7*|gU;EKAlf!_-4;GNq5?4Gt
zt>f2MZ&u>{V~Njxp~UTh#IJ9Z_{c_yKb;|Q)~Hu4@g&}J;`FGe=9$C5JYNBDd}6`!
tX^HEO2J`%gH|p~BGbGNMnKciLb$n))j#q$D<Ks~;otC)bcR<IZ{}*ryjrjlo

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ftp/bad-adat-encoding.zeek b/testing/btest/scripts/base/protocols/ftp/bad-adat-encoding.zeek
new file mode 100644
index 0000000000..282c12bf6e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ftp/bad-adat-encoding.zeek
@@ -0,0 +1,2 @@
+# @TEST-EXEC: zeek -C -r $TRACES/globus-url-copy-bad-encoding.trace %INPUT
+# @TEST-EXEC: btest-diff weird.log