quic: analyzer: Recognize and report unknown versions better

This makes the analyzer.log entry more informative by including the
actual version and also allows to handle this scenario in script land
if needed.

src/analyzer/protocol/quic/QUIC.evt

@@ -20,3 +20,5 @@ on QUIC::ZeroRTTPacket -> event QUIC::zero_rtt_packet($conn, $is_orig, self.head
 
 on QUIC::ConnectionClosePayload -> event QUIC::connection_close_frame($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id,
                                                                       self.error_code.result, self.reason_phrase);
+
+on QUIC::UnhandledVersion -> event QUIC::unhandled_version($conn, $is_orig, self.header.version, self.header.dest_conn_id, self.header.src_conn_id);

src/analyzer/protocol/quic/QUIC.spicy

@@ -204,6 +204,16 @@ public type LongHeaderPacketV2 = unit(inout outer: LongHeaderPacket) {
   };
 };
 
+# Just eat the data for event raising.
+public type UnhandledVersion = unit(header: LongHeaderPacket) {
+  var header: LongHeaderPacket = header;
+@if SPICY_VERSION >= 10800
+  payload: skip bytes &eod;
+@else
+  payload: bytes &eod;
+@endif
+};
+
 public type LongHeaderPacket = unit {
   var encrypted_offset: uint64;
   var payload_length: uint64;
@@ -228,6 +238,9 @@ public type LongHeaderPacket = unit {
   switch ( self.version ) {
     Version1 -> v1: LongHeaderPacketV1(self);
     Version2 -> v2: LongHeaderPacketV2(self);
+    * -> unknown: UnhandledVersion(self) {
+      throw "unhandled QUIC version 0x%x" % self.version;
+    }
   };
 };
 

testing/btest/Baseline/scripts.base.protocols.quic.vector-max-size-crash/analyzer.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	cause	analyzer_kind	analyzer_name	failure_reason
-1693925959.000001	CHhAvVGS1DHFjwGM9	violation	protocol	QUIC	&requires failed: self.length.result >= 20 (<...>/QUIC.spicy:<line>:<column>)
+1693925959.000001	CHhAvVGS1DHFjwGM9	violation	protocol	QUIC	unhandled QUIC version 0x10010000 (<...>/QUIC.spicy:<line>:<column>)

testing/btest/Baseline/scripts.base.protocols.quic.vector-max-size-crash/out

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+QUIC::unhandled_version, CHhAvVGS1DHFjwGM9, T, 268500992, \x00, 

testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek

@@ -1,11 +1,15 @@
 # @TEST-DOC: Test that runs the pcap
 
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic
+# @TEST-EXEC: zeek -Cr $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic %INPUT > out
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff out
 
-# Only run btest-ddiff on analyzer.log with 6.1-dev or later. The violation
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -r "s/\((.+)\.spicy:[0-9]+:[0-9]+\)/(\1.spicy:<line>:<column>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut
-# reporting has more detail in later versions.
+
-# @TEST-EXEC: zeek -b -e 'exit(Version::info$version_number < 60100 ? 0 : 1)' || TEST_DIFF_CANONIFIER='sed -r "s/\((.+)\.spicy:[0-9]+:[0-9]+\)/(\1.spicy:<line>:<column>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut
+event QUIC::unhandled_version(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
+	{
+	print "QUIC::unhandled_version", c$uid, is_orig, version, dcid, scid;
+	}