diff --git a/CHANGES b/CHANGES index 1794815e76..1b6998094b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +6.1.0-dev.368 | 2023-09-07 13:28:42 +0200 + + * GH-3278: spicy: Do not register port N+1 for port N in .evt file (Arne Welzel, Corelight) + + * Updating auxil/zeek-client submodule [nomail] (Christian Kreibich, Corelight) + 6.1.0-dev.364 | 2023-09-05 19:56:59 +0200 * DNS_Mgr: Use Process() for timeout expiration (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index c3fb06942f..a16c4504c1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.1.0-dev.364 +6.1.0-dev.368 diff --git a/src/spicy/manager.cc b/src/spicy/manager.cc index 37300e75bf..b7c99e6e06 100644 --- a/src/spicy/manager.cc +++ b/src/spicy/manager.cc @@ -693,6 +693,10 @@ void Manager::InitPostScript() { SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port_)); analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port); + // Don't double register in case of single-port ranges. + if ( ports.begin.port() == ports.end.port() ) + break; + // Explicitly prevent overflow. if ( port == std::numeric_limits::max() ) break; diff --git a/src/spicy/spicyz/glue-compiler.cc b/src/spicy/spicyz/glue-compiler.cc index d49e878b9d..26b35b8303 100644 --- a/src/spicy/spicyz/glue-compiler.cc +++ b/src/spicy/spicyz/glue-compiler.cc @@ -298,8 +298,8 @@ static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk, } if ( ! end ) - // EVT port ranges are a closed interval, but rt are half-closed. - end = hilti::rt::Port(start.port() + 1, start.protocol()); + // EVT port ranges are a closed. + end = hilti::rt::Port(start.port(), start.protocol()); return {start, *end}; } diff --git a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered new file mode 100644 index 0000000000..293b1047f3 --- /dev/null +++ b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[zeek] Scheduling analyzer for port 31336/udp diff --git a/testing/btest/spicy/port-range-one-port.zeek b/testing/btest/spicy/port-range-one-port.zeek new file mode 100644 index 0000000000..bdc5219791 --- /dev/null +++ b/testing/btest/spicy/port-range-one-port.zeek @@ -0,0 +1,24 @@ +# @TEST-REQUIRES: have-spicy +# +# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt +# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1 +# @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered +# @TEST-EXEC: btest-diff out.filtered + +# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278. + +# @TEST-START-FILE udp-test.spicy +module UDPTest; + +public type Message = unit { + data: bytes &eod { + assert False: "not reached"; + } +}; +# @TEST-END-FILE + +# @TEST-START-FILE udp-test.evt +protocol analyzer spicy::UDP_TEST over UDP: + parse with UDPTest::Message, + port 31336/udp; +# @TEST-END-FILE