spicy: Do not register port N+1 for port N in .evt file

Closes #3278
2025-10-02 06:38:20 +00:00 · 2023-09-07 10:02:44 +02:00 · 2023-09-07 10:02:44 +02:00 · 8cd2eceed1
commit 8cd2eceed1
parent 1441b83411
4 changed files with 32 additions and 2 deletions
--- a/src/spicy/manager.cc
+++ b/src/spicy/manager.cc
@ -693,6 +693,10 @@ void Manager::InitPostScript() {
                SPICY_DEBUG(hilti::rt::fmt("  Scheduling analyzer for port %s", port_));
                analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port);

+                // Don't double register in case of single-port ranges.
+                if ( ports.begin.port() == ports.end.port() )
+                    break;
+
                // Explicitly prevent overflow.
                if ( port == std::numeric_limits<decltype(port)>::max() )
                    break;
--- a/src/spicy/spicyz/glue-compiler.cc
+++ b/src/spicy/spicyz/glue-compiler.cc
@ -298,8 +298,8 @@ static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk,
    }

    if ( ! end )
-        // EVT port ranges are a closed interval, but rt are half-closed.
-        end = hilti::rt::Port(start.port() + 1, start.protocol());
+        // EVT port ranges are a closed.
+        end = hilti::rt::Port(start.port(), start.protocol());

    return {start, *end};
 }
--- a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
+++ b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[zeek]   Scheduling analyzer for port 31336/udp
--- a/testing/btest/spicy/port-range-one-port.zeek
+++ b/testing/btest/spicy/port-range-one-port.zeek
@ -0,0 +1,24 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt
+# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1
+# @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered
+# @TEST-EXEC: btest-diff out.filtered
+
+# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278.
+
+# @TEST-START-FILE udp-test.spicy
+module UDPTest;
+
+public type Message = unit {
+    data: bytes &eod {
+      assert False: "not reached";
+    }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE udp-test.evt
+protocol analyzer spicy::UDP_TEST over UDP:
+    parse with UDPTest::Message,
+    port 31336/udp;
+# @TEST-END-FILE