Merge remote-tracking branch 'origin/topic/timw/2914-truncated-tunnel-plus-things'

* origin/topic/timw/2914-truncated-tunnel-plus-things:
  Address wire/capture length feedback
  packet_analysis/TCP: Do not use untrusted len for DeliverPacket()
  Add regression test using pcap from GH-2683
  Add btest to test Geneve->VXLAN->Truncated inner packet
  IP: Update packet->len with accumulated fragment size
  UDP: Forward any remaining data (also empty) to session-analysis
  IPTunnel: Compute inner wire length based on cap_len differences.
  IP: fix weird name to not be ipv6 specific
  UDP: don't validate checksum if caplen < len
  PIA: Modernize how struct initialization is done

CHANGES

@@ -1,3 +1,44 @@
+6.0.0-dev.654 | 2023-05-25 20:01:37 +0200
+
+  * Address wire/capture length feedback (Arne Welzel, Corelight)
+
+  * packet_analysis/TCP: Do not use untrusted len for DeliverPacket() (Arne Welzel, Corelight)
+
+    We should not be passing the untrusted TCP header length into
+    DeliverPacket(). Also, DeliverPacket() cap len parameter should
+    be the capture length of the packet, not remaining data.
+
+  * GH-2683: Add regression test using pcap from GH-2683 (Arne Welzel, Corelight)
+
+  * Add btest to test Geneve->VXLAN->Truncated inner packet (Tim Wojtulewicz, Corelight)
+
+  * IP: Update packet->len with accumulated fragment size (Arne Welzel, Corelight)
+
+    With packet->len representing the wire length and other places
+    relying on it, ensure it's updated for fragments as well. This
+    assumes non-truncated fragments right now. Otherwise we'd need
+    to teach the FragmentReassembler to somehow track this independently
+    but it would be a mess.
+
+  * UDP: Forward any remaining data (also empty) to session-analysis (Arne Welzel, Corelight)
+
+    The protocol analyzers are prepared to receive truncated data and
+    this way we give analyzers a chance to look at data. We previously
+    allowed empty data being passed: When len ended up 0 and remaining
+    was 0 too.
+
+  * IPTunnel: Compute inner wire length based on cap_len differences. (Arne Welzel, Corelight)
+
+  * IP: fix weird name to not be ipv6 specific (Tim Wojtulewicz, Corelight)
+
+  * UDP: don't validate checksum if caplen < len (Tim Wojtulewicz, Corelight)
+
+    This may happen with truncated packets and will cause asan builds to bail out
+    before the packet can be forwarded along. The TCP analyzer already has this
+    check, but it's missing for UDP.
+
+  * PIA: Modernize how struct initialization is done (Tim Wojtulewicz, Corelight)
+
 6.0.0-dev.643 | 2023-05-25 09:03:40 -0700
 
   * btest.cfg: Set HILTI_CXX_COMPILER_LAUNCHER based on build/CMakeCache.txt (Arne Welzel, Corelight)

VERSION

@@ -1 +1 @@
-6.0.0-dev.643
+6.0.0-dev.654

src/analyzer/protocol/pia/PIA.h

@@ -60,29 +60,22 @@ protected:
 	// sequence numbers for TCP) and chunks of a reassembled stream.
 	struct DataBlock
 		{
-		IP_Hdr* ip;
+		IP_Hdr* ip = nullptr;
-		const u_char* data;
+		const u_char* data = nullptr;
-		bool is_orig;
+		bool is_orig = false;
-		int len;
+		size_t len = 0;
-		uint64_t seq;
+		size_t cap_len = 0;
-		DataBlock* next;
+		uint64_t seq = 0;
+		DataBlock* next = nullptr;
 		};
 
 	struct Buffer
 		{
-		Buffer()
+		DataBlock* head = nullptr;
-			{
+		DataBlock* tail = nullptr;
-			head = tail = nullptr;
+		int64_t size = 0;
-			size = 0;
+		int64_t chunks = 0;
-			chunks = 0;
+		State state = INIT;
-			state = INIT;
-			}
-
-		DataBlock* head;
-		DataBlock* tail;
-		int64_t size;
-		int64_t chunks;
-		State state;
 		};
 
 	void AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, bool is_orig,

src/packet_analysis/protocol/ip/IP.cc

@@ -93,7 +93,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( packet->len < total_len + hdr_size )
 		{
-		Weird("truncated_IPv6", packet);
+		Weird("truncated_IP_len", packet);
 		return false;
 		}
 
@@ -205,6 +205,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				}
 
 			packet->cap_len = total_len + hdr_size;
+			// Assumes reassembled packet has wire length == capture length.
+			packet->len = packet->cap_len;
 			}
 		}
 

src/packet_analysis/protocol/iptunnel/IPTunnel.cc

@@ -172,17 +172,29 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui
 
 std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
                                            std::shared_ptr<EncapsulationStack> encap_stack,
-                                           uint32_t len, const u_char* data, int link_type,
+                                           uint32_t inner_cap_len, const u_char* data,
-                                           BifEnum::Tunnel::Type tunnel_type,
+                                           int link_type, BifEnum::Tunnel::Type tunnel_type,
                                            const Tag& analyzer_tag)
 	{
 	auto inner_pkt = std::make_unique<Packet>();
 
+	assert(outer_pkt->cap_len >= inner_cap_len);
+	assert(outer_pkt->len >= outer_pkt->cap_len - inner_cap_len);
+
+	// Compute the wire length of the inner packet based on the wire length of
+	// the outer and the difference in capture lengths. This ensures that for
+	// truncated packets the wire length of the inner packet stays intact. Wire
+	// length may be greater than data available for truncated packets. However,
+	// analyzers do validate lengths found in headers with the wire length
+	// of the packet and keeping it consistent avoids violations.
+	uint32_t consumed_len = outer_pkt->cap_len - inner_cap_len;
+	uint32_t inner_wire_len = outer_pkt->len - consumed_len;
+
 	pkt_timeval ts;
 	ts.tv_sec = static_cast<time_t>(run_state::current_timestamp);
 	ts.tv_usec = static_cast<suseconds_t>(
 		(run_state::current_timestamp - static_cast<double>(ts.tv_sec)) * 1000000);
-	inner_pkt->Init(link_type, &ts, len, len, data);
+	inner_pkt->Init(link_type, &ts, inner_cap_len, inner_wire_len, data);
 
 	*encap_index = 0;
 	if ( outer_pkt->session )

src/packet_analysis/protocol/iptunnel/IPTunnel.h

@@ -83,13 +83,17 @@ protected:
  * builds a new packet object containing the encapsulated/tunneled packet, as well
  * as adding to the associated encapsulation stack for the tunnel.
  *
+ * The wire length (pkt->len) of the inner packet is computed based on the wire length
+ * of the outer packet and the differences in capture lengths.
+ *
  * @param outer_pkt The packet containing the encapsulation. This packet should contain
  * @param encap_index A return value for the current index into the encapsulation stack.
  * This is returned to allow analyzers to know what point in the stack they were operating
  * on as the packet analysis chain unwinds as it returns.
  * @param encap_stack Tracks the encapsulations as the new encapsulations are discovered
  * in the inner packets.
- * @param len The byte length of the packet data containing in the inner packet.
+ * @param inner_cap_len The byte length of the packet data contained in the inner packet.
+ * Also used as capture length for the inner packet.
  * @param data A pointer to the first byte of the inner packet.
  * @param link_type The link type (DLT_*) for the outer packet. If not known, DLT_RAW can
  * be passed for this value.
@@ -99,8 +103,8 @@ protected:
  */
 extern std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
                                                   std::shared_ptr<EncapsulationStack> encap_stack,
-                                                  uint32_t len, const u_char* data, int link_type,
+                                                  uint32_t inner_cap_len, const u_char* data,
-                                                  BifEnum::Tunnel::Type tunnel_type,
+                                                  int link_type, BifEnum::Tunnel::Type tunnel_type,
                                                   const Tag& analyzer_tag);
 
 namespace detail

src/packet_analysis/protocol/tcp/TCP.cc

@@ -130,7 +130,8 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	// Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket
 	// but this adapter does some other things in its DeliverPacket with the packet children
 	// analyzers.
-	adapter->DeliverPacket(len, data, is_orig, adapter->LastRelDataSeq(), ip.get(), remaining);
+	adapter->DeliverPacket(remaining, data, is_orig, adapter->LastRelDataSeq(), ip.get(),
+	                       pkt->cap_len);
 	}
 
 const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& len, int& remaining,

src/packet_analysis/protocol/udp/UDP.cc

@@ -109,7 +109,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	auto validate_checksum = ! run_state::current_pkt->l4_checksummed &&
 	                         ! zeek::detail::ignore_checksums &&
 	                         ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
-	                         remaining >= len;
+	                         remaining >= len && pkt->len <= pkt->cap_len;
 
 	constexpr auto vxlan_len = 8;
 	constexpr auto eth_len = 14;
@@ -225,9 +225,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	// detection has to be used.
 	ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort()));
 
-	// Also try sending it into session analysis.
+	// Forward any data through session-analysis, too.
-	if ( remaining >= len )
+	adapter->ForwardPacket(remaining, data, is_orig, -1, ip.get(), pkt->cap_len);
-		adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining);
 	}
 
 bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)

testing/btest/Baseline/core.reassembly/output

@@ -19,14 +19,14 @@ flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
 flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
 flow weird, fragment_inconsistency, 128.32.46.142, 10.0.0.1
 ----------------------
-net_weird, truncated_IPv6
+net_weird, truncated_IP_len
-net_weird, truncated_IPv6
+net_weird, truncated_IP_len
-net_weird, truncated_IPv6
+net_weird, truncated_IP_len
-net_weird, truncated_IPv6
+net_weird, truncated_IP_len
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], dgphrodofqhq, orgmmpelofil, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], lenhfdqhqfgs, dfpqssidkpdg, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A
-net_weird, truncated_IPv6
+net_weird, truncated_IP_len
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?>\x0d\x0a<g:searchrequest xmlns:g=, OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?igplqgeqsonkllfshdjplhjspmde, AP

testing/btest/Baseline/core.truncation/output

@@ -27,7 +27,7 @@ XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IP	-	F	zeek	IP
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
 #types	time	string	addr	port	addr	port	string	string	bool	string	string
-XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IPv6	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IP_len	-	F	zeek	IP
 #close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,

testing/btest/Baseline/core.tunnels.geneve-47101/conn.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	47101	127.0.0.1	6081	udp	geneve	1.025005	25684	0	S0	T	T	0	D	24	26356	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.107	45474	145.40.68.75	443	tcp	ssl	1.024744	781	23111	SF	T	F	0	ShADadFf	15	1569	9	23587	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	47101	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	47101	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::CLOSE
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log

@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.16.11.201	36872	1.1.1.1	53	udp	dns	2.000009	54	74	SF	T	F	0	Dd	1	82	1	102	ClEkJM2Vm5giqnMf4h
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	11803	127.0.0.1	6081	udp	geneve	2.000009	300	0	S0	T	T	0	D	2	356	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	26383	127.0.0.1	4789	udp	vxlan	2.000009	228	0	S0	T	T	0	D	2	284	0	0	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log

@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	11803	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	26383	127.0.0.1	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	11803	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::CLOSE
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	26383	127.0.0.1	4789	Tunnel::VXLAN	Tunnel::CLOSE
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/tunnels/geneve-47101.zeek

@@ -0,0 +1,8 @@
+# @TEST-DOC: Tests a pcap containing a packet of size 14196 bytes with GENEVE encapsulation. Regression test for #2683.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/geneve-47101.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn
+@load base/protocols/ssl

testing/btest/core/tunnels/geneve-vxlan-truncated.zeek

@@ -0,0 +1,8 @@
+# @TEST-DOC: Tests truncated packets tunneled via VXLAN inside GENEVE
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/geneve-vxlan-dns-truncated.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn
+@load base/protocols/dns

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-4d5c6de8c1d36b8fcbacab7da45fee79a433844e
+b121bfe4d869f1f5e334505b970cd456558ef6a1