Fix reassembly of data w/ sizes beyond 32-bit capacities (BIT-348).

The main change is that reassembly code (e.g. for TCP) now uses int64/uint64 (signedness is situational) data types in place of int types in order to support delivering data to analyzers that pass 2GB thresholds. There's also changes in logic that accompany the change in data types, e.g. to fix TCP sequence space arithmetic inconsistencies. Another significant change is in the Analyzer API: the *Packet and *Undelivered methods now use a uint64 in place of an int for the relative sequence space offset parameter.
2025-10-12 03:28:19 +00:00 · 2014-04-09 13:03:24 -05:00 · 2014-04-09 13:03:24 -05:00 · 2b3c2bd394
commit 2b3c2bd394
parent 2f57c26d5b
75 changed files with 1627 additions and 1540 deletions
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-04-09-16-44-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1395939406.175845	CjhGID4nQcgTWjvg4c	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	0	ShAdfFa	5	272	4	486	(empty)
+1395939411.361078	CCvvfg3TEfuqmmG4bh	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
+1395939399.984671	CXWv6p3arKYeMETxOg	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	0	ShAdDaFf	31	1728	18	1985	(empty)
+#close	2014-04-09-16-44-54
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open	2014-04-09-16-44-53
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
+1395939406.177079	FAb5m22Dhe2Zi95anf	192.168.56.101	192.168.56.1	CjhGID4nQcgTWjvg4c	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	-	F	270	-	0	0	F	-	-	-	-	-
+1395939411.364462	FhI0ao2FNTjabdfSBd	192.168.56.101	192.168.56.1	CCvvfg3TEfuqmmG4bh	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	-	F	23822	-	5416642848	0	F	-	-	-	-	-
+#close	2014-04-09-16-44-54
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/out
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/out
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
@ -3,9 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-36-36
+#open	2014-04-07-19-37-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1153491909.414066	-	-	-	-	-	truncated_IP	-	F	bro
 1153491912.529443	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	binpac exception: out_of_bound: WriteSingleRegisterRequest: 4 > 0	-	F	bro
-#close	2013-08-26-19-36-36
+1153491920.661039	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	TCP_ack_underflow_or_misorder	-	F	bro
+1153491929.715910	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	TCP_seq_underflow_or_misorder	-	F	bro
+#close	2014-04-07-19-37-09
--- a/testing/btest/Traces/ftp/bigtransfer.pcap
+++ b/testing/btest/Traces/ftp/bigtransfer.pcap
--- a/testing/btest/core/tcp/large-file-reassembly.bro
+++ b/testing/btest/core/tcp/large-file-reassembly.bro
@ -0,0 +1,22 @@
+# @TEST-EXEC: bro -r $TRACES/ftp/bigtransfer.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff files.log
+# @TEST-EXEC: btest-diff conn.log
+
+# The pcap has been truncated on purpose, so there's going to be large
+# gaps that are there by design and shouldn't trigger the "skip
+# deliveries" code paths because this test still needs to know about the
+# payloads being delivered around critical boundaries (e.g. 32-bit TCP
+# sequence wraparound and 32-bit data offsets).
+redef tcp_excessive_data_without_further_acks=0;
+
+event file_chunk(f: fa_file, data: string, off: count)
+	{
+	print "file_chunk", |data|, off, data;
+	}
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
+	                    [$chunk_event=file_chunk]);
+	}