mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
websocket: Fix crash for fragmented messages
The &transient attribute does not work well with $element as that won't be available within &until anymore apparently. Found after a few seconds building out the fuzzer.
This commit is contained in:
Arne Welzel
parent
e17655be61
commit
5eb380d74a
5 changed files with 42 additions and 1 deletions
|
|
@ -80,7 +80,7 @@ type WebSocket_Message = record {
|
|||
first_frame: WebSocket_Frame(true, this);
|
||||
optional_more_frames: case first_frame.hdr.b.fin of {
|
||||
true -> no_more_frames: empty;
|
||||
false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin) &transient;
|
||||
false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin);
|
||||
};
|
||||
} &let {
|
||||
opcode = first_frame.hdr.b.opcode;
|
||||
|
|
|
|||
|
|
@ -89,3 +89,40 @@ websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_le
|
|||
websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason,
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
|
||||
message-too-big-status.pcap
|
||||
websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=60956/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits], client_key=iTel1Ova5Nhz/G7VlI2qKg==, server_accept=YsQYYLj7ZCpzTLsVLb+w/ydy79E=]
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 31
|
||||
websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1009, reason, over size limit (4 > 2 bytes)
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 31, data, \x03\xf1over size limit (4 > 2 bytes)
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
|
||||
websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason,
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close
|
||||
two-binary-fragments.pcap
|
||||
websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=50198/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits], client_key=cQGA5Z1nvyUJ9XOVIaLaQA==, server_accept=zWaHVUKxEGPDs+xJeKtzkE1bm54=]
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, pong
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, binary, payload_len, 11
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek!
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, binary
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, F, rsv, 0, opcode, binary, payload_len, 5
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 5, data, Hello
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, continuation, payload_len, 7
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 7, data, there!
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, binary
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2
|
||||
websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason,
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
|
||||
websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
|
||||
websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason,
|
||||
websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
|
||||
websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close
|
||||
|
|
|
|||
BIN
testing/btest/Traces/websocket/message-too-big-status.pcap
Normal file
BIN
testing/btest/Traces/websocket/message-too-big-status.pcap
Normal file
Binary file not shown.
BIN
testing/btest/Traces/websocket/two-binary-fragments.pcap
Normal file
BIN
testing/btest/Traces/websocket/two-binary-fragments.pcap
Normal file
Binary file not shown.
|
|
@ -6,6 +6,10 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/websocket/wstunnel-http.pcap %INPUT >>out
|
||||
# @TEST-EXEC: echo "broker-websocket.pcap" >>out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES//websocket/broker-websocket.pcap %INPUT >>out
|
||||
# @TEST-EXEC: echo "message-too-big-status.pcap" >>out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES//websocket/message-too-big-status.pcap %INPUT >>out
|
||||
# @TEST-EXEC: echo "two-binary-fragments.pcap" >>out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES//websocket/two-binary-fragments.pcap %INPUT >>out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: test ! -f analyzer.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue