Merge remote-tracking branch 'origin/topic/johanna/gh-1454'

* origin/topic/johanna/gh-1454:
  Heartbleed: fix substraction order.

CHANGES

@@ -1,4 +1,16 @@
 
+4.1.0-dev.423 | 2021-03-26 16:44:26 -0700
+
+  * GH-1454: Heartbleed: fix substraction order. (Johanna Amann)
+
+    Fixes incorrect/overflowed `n` value for `SSL_Heartbeat_Many_Requests`
+    notices where number of server heartbeats is greater than number of client
+    heartbeats.
+
+    The larger number was substracted from the smaller one leading to an
+    integer overflow. However, no information was lost due to everything
+    also being present in the notice message.
+
 4.1.0-dev.421 | 2021-03-26 16:39:22 -0700
 
   * Fix crash in Analyzer::ForwardPacket due to recursive analyzer calls. (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-4.1.0-dev.421
+4.1.0-dev.423

scripts/policy/protocols/ssl/heartbleed.zeek

@@ -154,7 +154,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
 				$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
-				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
+				$n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats),
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
 				]);