Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

spicy: Do not register port N+1 for port N in .evt file

Browse source 
Closes #3278
This commit is contained in:
Arne Welzel 2023-09-07 10:02:44 +02:00
parent 1441b83411
commit 8cd2eceed1
4 changed files with 32 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/spicy/manager.cc
View file

@ -693,6 +693,10 @@ void Manager::InitPostScript() {
SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port_)); SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port_));
analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port); analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port);
// Don't double register in case of single-port ranges.
if ( ports.begin.port() == ports.end.port() )
break;
// Explicitly prevent overflow. // Explicitly prevent overflow.
if ( port == std::numeric_limits<decltype(port)>::max() ) if ( port == std::numeric_limits<decltype(port)>::max() )
break; break;

4
src/spicy/spicyz/glue-compiler.cc
View file

@ -298,8 +298,8 @@ static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk,
} }
if ( ! end ) if ( ! end )
// EVT port ranges are a closed interval, but rt are half-closed. // EVT port ranges are a closed.
end = hilti::rt::Port(start.port() + 1, start.protocol()); end = hilti::rt::Port(start.port(), start.protocol());
return {start, *end}; return {start, *end};
} }

2
testing/btest/Baseline/spicy.port-range-one-port/out.filtered Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[zeek] Scheduling analyzer for port 31336/udp

24
testing/btest/spicy/port-range-one-port.zeek Normal file
View file

@ -0,0 +1,24 @@
# @TEST-REQUIRES: have-spicy
#
# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt
# @TEST-EXEC: HILTI_DEBUG=zeek zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >out 2>&1
# @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered
# @TEST-EXEC: btest-diff out.filtered
# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278.
# @TEST-START-FILE udp-test.spicy
module UDPTest;
public type Message = unit {
data: bytes &eod {
assert False: "not reached";
}
};
# @TEST-END-FILE
# @TEST-START-FILE udp-test.evt
protocol analyzer spicy::UDP_TEST over UDP:
parse with UDPTest::Message,
port 31336/udp;
# @TEST-END-FILE