Merge remote-tracking branch 'origin/topic/awelzel/3278-spicy-fix-port-range-off-by-one'

* origin/topic/awelzel/3278-spicy-fix-port-range-off-by-one: spicy: Do not register port N+1 for port N in .evt file
2025-10-05 08:08:19 +00:00 · 2023-09-07 13:28:42 +02:00 · 2023-09-07 13:28:42 +02:00 · 6e6a2bee8a
commit 6e6a2bee8a
parent 21562cfbb2 8cd2eceed1
6 changed files with 39 additions and 3 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+6.1.0-dev.368 | 2023-09-07 13:28:42 +0200
+
+  * GH-3278: spicy: Do not register port N+1 for port N in .evt file (Arne Welzel, Corelight)
+
+  * Updating auxil/zeek-client submodule [nomail] (Christian Kreibich, Corelight)
+
 6.1.0-dev.364 | 2023-09-05 19:56:59 +0200

  * DNS_Mgr: Use Process() for timeout expiration (Arne Welzel, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-6.1.0-dev.364
+6.1.0-dev.368
--- a/src/spicy/manager.cc
+++ b/src/spicy/manager.cc
@ -693,6 +693,10 @@ void Manager::InitPostScript() {
                SPICY_DEBUG(hilti::rt::fmt("  Scheduling analyzer for port %s", port_));
                analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port);

+                // Don't double register in case of single-port ranges.
+                if ( ports.begin.port() == ports.end.port() )
+                    break;
+
                // Explicitly prevent overflow.
                if ( port == std::numeric_limits<decltype(port)>::max() )
                    break;
--- a/src/spicy/spicyz/glue-compiler.cc
+++ b/src/spicy/spicyz/glue-compiler.cc
@ -298,8 +298,8 @@ static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk,
    }

    if ( ! end )
-        // EVT port ranges are a closed interval, but rt are half-closed.
-        end = hilti::rt::Port(start.port() + 1, start.protocol());
+        // EVT port ranges are a closed.
+        end = hilti::rt::Port(start.port(), start.protocol());

    return {start, *end};
 }
--- a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
+++ b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[zeek]   Scheduling analyzer for port 31336/udp
--- a/testing/btest/spicy/port-range-one-port.zeek
+++ b/testing/btest/spicy/port-range-one-port.zeek
@ -0,0 +1,24 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt
+# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1
+# @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered
+# @TEST-EXEC: btest-diff out.filtered
+
+# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278.
+
+# @TEST-START-FILE udp-test.spicy
+module UDPTest;
+
+public type Message = unit {
+    data: bytes &eod {
+      assert False: "not reached";
+    }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE udp-test.evt
+protocol analyzer spicy::UDP_TEST over UDP:
+    parse with UDPTest::Message,
+    port 31336/udp;
+# @TEST-END-FILE