From 83a2eb366500ea78d7c7a1392df4cdb501d33943 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Thu, 1 Aug 2024 21:11:38 +0200
Subject: [PATCH] ldap: Avoid unset m$opcode

Initial fuzzing caused a bind response to arrive before a bind request,
resulting in an unset field expression error:

    expression error in base/protocols/ldap/main.zeek, line 270: field value missing (LDAP::m$opcode)

Prevent this by ensuring m$opcode is set and raising instead.
---
 scripts/base/protocols/ldap/main.zeek | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek
index da4a21871c..1e23c7bf84 100644
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@@ -229,6 +229,10 @@ event LDAP::message(c: connection,
                              fmt("%s: %s -> %s", message_id, m$opcode, opcode_str), "LDAP");
       }
 
+      m$opcode = opcode_str;
+    } else if ( ! m?$opcode ) {
+      # This can happen if we see a bind response before the bind request.
+      Reporter::conn_weird("LDAP_bind_without_opcode", c, fmt("%s: %s", message_id, opcode_str), "LDAP");
       m$opcode = opcode_str;
     }