From 8cd2eceed1ce09cab0abbbdcd0ed54051301e0df Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Thu, 7 Sep 2023 10:02:44 +0200
Subject: [PATCH] spicy: Do not register port N+1 for port N in .evt file

Closes #3278
---
 src/spicy/manager.cc                          |  4 ++++
 src/spicy/spicyz/glue-compiler.cc             |  4 ++--
 .../spicy.port-range-one-port/out.filtered    |  2 ++
 testing/btest/spicy/port-range-one-port.zeek  | 24 +++++++++++++++++++
 4 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/spicy.port-range-one-port/out.filtered
 create mode 100644 testing/btest/spicy/port-range-one-port.zeek

diff --git a/src/spicy/manager.cc b/src/spicy/manager.cc
index 37300e75bf..b7c99e6e06 100644
--- a/src/spicy/manager.cc
+++ b/src/spicy/manager.cc
@@ -693,6 +693,10 @@ void Manager::InitPostScript() {
                 SPICY_DEBUG(hilti::rt::fmt("  Scheduling analyzer for port %s", port_));
                 analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port);
 
+                // Don't double register in case of single-port ranges.
+                if ( ports.begin.port() == ports.end.port() )
+                    break;
+
                 // Explicitly prevent overflow.
                 if ( port == std::numeric_limits<decltype(port)>::max() )
                     break;
diff --git a/src/spicy/spicyz/glue-compiler.cc b/src/spicy/spicyz/glue-compiler.cc
index d49e878b9d..26b35b8303 100644
--- a/src/spicy/spicyz/glue-compiler.cc
+++ b/src/spicy/spicyz/glue-compiler.cc
@@ -298,8 +298,8 @@ static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk,
     }
 
     if ( ! end )
-        // EVT port ranges are a closed interval, but rt are half-closed.
-        end = hilti::rt::Port(start.port() + 1, start.protocol());
+        // EVT port ranges are a closed.
+        end = hilti::rt::Port(start.port(), start.protocol());
 
     return {start, *end};
 }
diff --git a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
new file mode 100644
index 0000000000..293b1047f3
--- /dev/null
+++ b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[zeek]   Scheduling analyzer for port 31336/udp
diff --git a/testing/btest/spicy/port-range-one-port.zeek b/testing/btest/spicy/port-range-one-port.zeek
new file mode 100644
index 0000000000..bdc5219791
--- /dev/null
+++ b/testing/btest/spicy/port-range-one-port.zeek
@@ -0,0 +1,24 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt
+# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1
+# @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered
+# @TEST-EXEC: btest-diff out.filtered
+
+# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278.
+
+# @TEST-START-FILE udp-test.spicy
+module UDPTest;
+
+public type Message = unit {
+    data: bytes &eod {
+      assert False: "not reached";
+    }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE udp-test.evt
+protocol analyzer spicy::UDP_TEST over UDP:
+    parse with UDPTest::Message,
+    port 31336/udp;
+# @TEST-END-FILE