Merge remote-tracking branch 'origin/topic/johanna/tcp-padding'

* origin/topic/johanna/tcp-padding: Do not forward padding to downstream TCP packet analyzer (cherry picked from commit 81ce83590d)
2025-10-02 06:38:20 +00:00 · 2023-08-03 07:17:43 +01:00 · 2023-08-03 07:17:43 +01:00 · 483f7a0322
commit 483f7a0322
parent a99231d956
8 changed files with 104 additions and 3 deletions
--- a/68
+++ b/68
@ -1,3 +1,71 @@
+6.0.0-7 | 2023-08-08 13:22:35 -0700
+
+  * Do not forward padding to downstream TCP packet analyzer (Johanna Amann, Corelight)
+
+    (cherry picked from commit 81ce83590dc15bb51b5c3819898b5e77c16a255c)
+
+  * Do not forward more than the remaining data to downstream UDP analyzer (Johanna Amann, Corelight)
+
+    This fixes a bug introduced in 2b9de839b0948c7de3eb5ed4a397194f96aae6b5
+    / GH-3080, which causes UDP padding to be sent to UDP based analyzers.
+
+    (cherry picked from commit 3c7a52d0a76cf03dddd1177b86c21806f1c3dcbd)
+
+  * Prefer Spicy include directories of this build over accidental ones. (Benjamin Bannier, Corelight)
+
+    (cherry picked from commit c718f7f632d601922dde1e70ae4766d278bf3e86)
+
+  * dce-rpc: Test cases for unbounded state growth (Arne Welzel, Corelight)
+
+    Pcaps produced as shown in #3145 using a samba container and rpcclient.
+
+    (cherry picked from commit f9904511abe9b16e7657ec317477ec200944a01b)
+
+  * dce-rpc: Handle smb2_close_request() in scripts (Arne Welzel, Corelight)
+
+    If there's a request to close a fid and it's in the dce_rpc_backing
+    table, remove it from there.
+
+    (cherry picked from commit f9904511abe9b16e7657ec317477ec200944a01b)
+
+  * smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them (Arne Welzel, Corelight)
+
+    This patch does two things:
+
+    1) For SMB close requests, tear down any associated DCE-RPC
+       analyzer if one exists.
+
+    2) Protect from fid_to_analyzer_map growing unbounded by introducing a
+       new SMB::max_dce_rpc_analyzers limit and forcefully wipe the
+       analyzers if exceeded. Propagate this to script land as event
+       smb_discarded_dce_rpc_analyzers() for additional cleanup.
+
+    This is mostly to fix how the binpac SMB analyzer tracks individual
+    DCE-RPC analyzers per open fid. Connections that re-open the same or
+    different pipe may currently allocate unbounded number of analyzers.
+
+    Closes #3145.
+
+    (cherry picked from commit f9904511abe9b16e7657ec317477ec200944a01b)
+
+  * dce-rpc: Do not repeatedly register removal hooks (Arne Welzel, Corelight)
+
+    ...once should be enough.
+
+    (cherry picked from commit f9904511abe9b16e7657ec317477ec200944a01b)
+
+  * Define early_shutdown lambda earlier in zeek-setup, avoids build failure with gperftools (Tim Wojtulewicz)
+
+    (cherry picked from commit 2da6f94ab657188213fc02b94a6fd303f021b60f)
+
+  * GH-3157: [Spicy] Support `switch` fields when exporting Spicy types to Zeek. (Robin Sommer, Corelight)
+
+    (cherry picked from commit cd2c193cb22e5e7166e47702dece8f49533de285)
+
+  * fix http AUTHORIZATION base64 decode failed (progmboy)
+
+    (cherry picked from commit b18122da08d37ab48a70c9dbb09d8b9403ebd19e)
+
 6.0.0 | 2023-07-05 10:17:38 -0700

  * Update btest, package-manager, and zeek-client submodules [nomail] [skip ci] (Christian Kreibich, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-6.0.0
+6.0.0-7
--- a/src/packet_analysis/protocol/tcp/TCP.cc
+++ b/src/packet_analysis/protocol/tcp/TCP.cc
@ -130,8 +130,8 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	// Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket
 	// but this adapter does some other things in its DeliverPacket with the packet children
 	// analyzers.
-	adapter->DeliverPacket(remaining, data, is_orig, adapter->LastRelDataSeq(), ip.get(),
-	                       pkt->cap_len);
+	adapter->DeliverPacket(std::min(len, remaining), data, is_orig, adapter->LastRelDataSeq(),
+	                       ip.get(), pkt->cap_len);
 	}

 const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& len, int& remaining,
--- a/testing/btest/Baseline/core.tcp-padding/conn.log
+++ b/testing/btest/Baseline/core.tcp-padding/conn.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.221.30.181	59406	217.207.159.63	27272	tcp	http	10.914549	16	191	SF	F	F	0	ShADadfF	13	704	12	823	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.tcp-padding/http.log
+++ b/testing/btest/Baseline/core.tcp-padding/http.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.221.30.181	59406	217.207.159.63	27272	1	GET	-	/	-	1.0	-	-	0	6	200	OK	-	-	(empty)	-	-	-	-	-	-	Fftt1g15aiP3OV7YTf	-	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/tcp-http-with-padding.pcap
+++ b/testing/btest/Traces/tcp-http-with-padding.pcap
--- a/testing/btest/core/tcp-padding.zeek
+++ b/testing/btest/core/tcp-padding.zeek
@ -0,0 +1,6 @@
+# Check that data contained in the ethernet padding does not make it into protocol analysis
+
+# @TEST-EXEC: zeek -C -r $TRACES/tcp-http-with-padding.pcap %INPUT >out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+
--- a/testing/btest/core/udp-padding.zeek
+++ b/testing/btest/core/udp-padding.zeek
@ -0,0 +1,5 @@
+# Check that data contained in the UDP padding does not make it into protocol analysis
+
+# @TEST-EXEC: zeek -r $TRACES/fake-syslog-with-padding.pcap %INPUT >out
+# @TEST-EXEC: btest-diff syslog.log
+
 @ -1 +1 @@
 .0.0
 .0.0-7