websocket: Fix crash for fragmented messages

The &transient attribute does not work well with $element as that won't be available within &until anymore apparently. Found after a few seconds building out the fuzzer.
2025-10-06 16:48:19 +00:00 · 2024-01-19 19:26:42 +01:00 · 2024-01-19 19:26:42 +01:00 · 5eb380d74a
commit 5eb380d74a
parent e17655be61
5 changed files with 42 additions and 1 deletions
--- a/src/analyzer/protocol/websocket/websocket-protocol.pac
+++ b/src/analyzer/protocol/websocket/websocket-protocol.pac
@ -80,7 +80,7 @@ type WebSocket_Message = record {
 	first_frame: WebSocket_Frame(true, this);
 	optional_more_frames: case first_frame.hdr.b.fin of {
 		true -> no_more_frames: empty;
-		false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin) &transient;
+		false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin);
 	};
 } &let {
 	opcode = first_frame.hdr.b.opcode;
--- a/testing/btest/Baseline/scripts.base.protocols.websocket.events/out
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.events/out
@ -89,3 +89,40 @@ websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_le
 websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
 message-too-big-status.pcap
 websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=60956/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits], client_key=iTel1Ova5Nhz/G7VlI2qKg==, server_accept=YsQYYLj7ZCpzTLsVLb+w/ydy79E=]
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
 websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 31
 websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1009, reason, over size limit (4 > 2 bytes)
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 31, data, \x03\xf1over size limit (4 > 2 bytes)
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
 websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
 websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close
 two-binary-fragments.pcap
 websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=50198/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits], client_key=cQGA5Z1nvyUJ9XOVIaLaQA==, server_accept=zWaHVUKxEGPDs+xJeKtzkE1bm54=]
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
 websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, pong
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, binary, payload_len, 11
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek!
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, binary
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, F, rsv, 0, opcode, binary, payload_len, 5
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 5, data, Hello
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, continuation, payload_len, 7
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 7, data,  there!
 websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, binary
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2
 websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
 websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
 websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close
--- a/testing/btest/Traces/websocket/message-too-big-status.pcap
+++ b/testing/btest/Traces/websocket/message-too-big-status.pcap
--- a/testing/btest/Traces/websocket/two-binary-fragments.pcap
+++ b/testing/btest/Traces/websocket/two-binary-fragments.pcap
--- a/testing/btest/scripts/base/protocols/websocket/events.zeek
+++ b/testing/btest/scripts/base/protocols/websocket/events.zeek
@ -6,6 +6,10 @@
 # @TEST-EXEC: zeek -b -r $TRACES/websocket/wstunnel-http.pcap %INPUT >>out
 # @TEST-EXEC: echo "broker-websocket.pcap" >>out
 # @TEST-EXEC: zeek -b -r $TRACES//websocket/broker-websocket.pcap %INPUT >>out
 # @TEST-EXEC: echo "message-too-big-status.pcap" >>out
 # @TEST-EXEC: zeek -b -r $TRACES//websocket/message-too-big-status.pcap %INPUT >>out
 # @TEST-EXEC: echo "two-binary-fragments.pcap" >>out
 # @TEST-EXEC: zeek -b -r $TRACES//websocket/two-binary-fragments.pcap %INPUT >>out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f weird.log