Merge remote-tracking branch 'origin/topic/vladg/mysql_nul_string_fix'

* origin/topic/vladg/mysql_nul_string_fix: Add a test with an encrypted MySQL connection Fix parsing of MySQL NUL Strings, where we now require it to have a NUL value at the end.
2025-10-02 06:38:20 +00:00 · 2018-10-30 09:59:44 -05:00 · 2018-10-30 09:59:44 -05:00 · 8c02aa5211
commit 8c02aa5211
parent 80c7f3f4e2 b0638dbdcf
7 changed files with 32 additions and 18 deletions
--- a/6
+++ b/6
@ -1,4 +1,10 @@

+2.6-beta2-55 | 2018-10-30 09:59:44 -0500
+
+  * Add a test with an encrypted MySQL connection (Vlad Grigorescu)
+
+  * Fix parsing of MySQL NUL Strings (Vlad Grigorescu)
+
 2.6-beta2-51 | 2018-10-26 10:41:42 -0500

  * Add missing record field comment (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-2.6-beta2-51
+2.6-beta2-55
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@ -8,11 +8,11 @@ refine flow MySQL_Flow += {
 			if ( ${msg.version} == 10 )
 				BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
 				                                        connection()->bro_analyzer()->Conn(),
-														bytestring_to_val(${msg.handshake10.server_version}));
+				                                        new StringVal(c_str(${msg.handshake10.server_version})));
 			if ( ${msg.version} == 9 )
 				BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
 				                                        connection()->bro_analyzer()->Conn(),
-														bytestring_to_val(${msg.handshake9.server_version}));
+				                                        new StringVal(c_str(${msg.handshake9.server_version})));
 			}
 		return true;
 		%}
@ -27,11 +27,11 @@ refine flow MySQL_Flow += {
 			if ( ${msg.version} == 10 )
 				BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
 				                                   connection()->bro_analyzer()->Conn(),
-													bytestring_to_val(${msg.v10_response.username}));
+				                                   new StringVal(c_str(${msg.v10_response.username})));
 			if ( ${msg.version} == 9 )
 				BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
 				                                   connection()->bro_analyzer()->Conn(),
-								    	    	   bytestring_to_val(${msg.v9_response.username}));
+				                                   new StringVal(c_str(${msg.v9_response.username})));
 			}
 		return true;
 		%}
--- a/src/analyzer/protocol/mysql/mysql-protocol.pac
+++ b/src/analyzer/protocol/mysql/mysql-protocol.pac
@ -151,7 +151,7 @@ enum Expected {
 	EXPECT_AUTH_SWITCH,
 };

-type NUL_String = RE/[^\0]*/;
+type NUL_String = RE/[^\0]*\0/;

 # MySQL PDU

--- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/mysql.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/mysql.log
--- a/testing/btest/Traces/mysql/encrypted.trace
+++ b/testing/btest/Traces/mysql/encrypted.trace
--- a/testing/btest/scripts/base/protocols/mysql/encrypted.test
+++ b/testing/btest/scripts/base/protocols/mysql/encrypted.test
@ -0,0 +1,8 @@
+# This tests how Bro deals with encrypted connections. Right now, it doesn't log them as it
+# can't parse much of value. We're testing for an empty mysql.log file.
+
+# @TEST-EXEC: touch mysql.log
+# @TEST-EXEC: bro -b -r $TRACES/mysql/encrypted.trace %INPUT
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql