From 14429cf297c84ff653cb933d700eab203d66987a Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Wed, 8 Oct 2025 16:14:14 +0200
Subject: [PATCH] QUIC: Skip packets with fixed_bit 0

The RFC specifies that QUIC packets with unset fixed_bit need to be
discarded. Do so.

Fixes #4847
---
 NEWS                                          |   3 +
 src/analyzer/protocol/quic/QUIC.spicy         | 166 ++++++++++--------
 .../conn.log.cut                              |   3 +
 .../quic.log                                  |  11 ++
 .../ssl.log                                   |  11 ++
 .../btest/Traces/quic/quic-39264-rand.pcap    | Bin 0 -> 11755 bytes
 .../base/protocols/quic/39264-rand.zeek       |   9 +
 7 files changed, 130 insertions(+), 73 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/conn.log.cut
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/quic.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/ssl.log
 create mode 100644 testing/btest/Traces/quic/quic-39264-rand.pcap
 create mode 100644 testing/btest/scripts/base/protocols/quic/39264-rand.zeek

diff --git a/NEWS b/NEWS
index 406073dcf5..af792aed78 100644
--- a/NEWS
+++ b/NEWS
@@ -73,6 +73,9 @@ Changed Functionality
 - The ``get_current_packet_header()`` now populates the returned record also for
   fragmented IP datagrams.
 
+- The QUIC parser discards packets with the fixed_bit field set to 0, rather than
+  continuing to parse potentially running into analyzer violations.
+
 Removed Functionality
 ---------------------
 
diff --git a/src/analyzer/protocol/quic/QUIC.spicy b/src/analyzer/protocol/quic/QUIC.spicy
index a071d1ea19..835cfb342c 100644
--- a/src/analyzer/protocol/quic/QUIC.spicy
+++ b/src/analyzer/protocol/quic/QUIC.spicy
@@ -516,6 +516,16 @@ type Packet = unit(from_client: bool, context: Context&) {
     # Peek into the first byte and determine the header type.
     first_byte: bitfield(8) {
         header_form: 7 &convert=HeaderForm($$);
+
+        # The next bit (0x40) of byte 0 is set to 1. Packets containing a zero
+        # value for this bit are not valid packets in this version and MUST be
+        # discarded. A value of 1 for this bit allows QUIC to coexist with other
+        # protocols; see [RFC7983].
+        #
+        # https://datatracker.ietf.org/doc/html/rfc9000#name-short-header-packets
+        #
+        # We use this to avoid parsing the short/long header below.
+        fixed_bit: 6;
     };
 
     # TODO: Consider bitfield based look-ahead-parsing in the switch below
@@ -525,84 +535,94 @@ type Packet = unit(from_client: bool, context: Context&) {
     }
 
     # Depending on the header, parse it and update the src/dest ConnectionID's
-    switch (self.first_byte.header_form) {
-        HeaderForm::SHORT -> short_header: ShortHeader(context.client_cid_len);
-        HeaderForm::LONG -> long_header: LongHeaderPacket {
-            # For now, only allow a change of src/dest ConnectionID's for INITIAL packets.
+    switch (cast<bool>(self.first_byte.fixed_bit)) {
+        True -> {
+            switch (self.first_byte.header_form) {
+                HeaderForm::SHORT -> short_header: ShortHeader(context.client_cid_len);
+                HeaderForm::LONG -> long_header: LongHeaderPacket {
+                    # For now, only allow a change of src/dest ConnectionID's for INITIAL packets.
 
-            # If we see a retry packet from the responder, reset the decryption
-            # context such that the next DCID from the client is used for decryption.
-            if (self.long_header.is_retry) {
-                reset_crypto(context);
+                    # If we see a retry packet from the responder, reset the decryption
+                    # context such that the next DCID from the client is used for decryption.
+                    if (self.long_header.is_retry) {
+                        reset_crypto(context);
 
-                self.crypto = Null;
-                self.crypto_sink = Null;
+                        self.crypto = Null;
+                        self.crypto_sink = Null;
+                    }
+                }
+            };
+
+            : void {
+                if (self?.long_header && can_decrypt(self.long_header, context, self.crypto))
+                # If we have parsed an initial packet that we can decrypt the payload,
+                # determine the size to store into a buffer.
+                self.packet_size = self.offset();
             }
+
+            # Buffer the whole packet if we determined we have a chance to decrypt.
+            packet_data: bytes &parse-at=self.start &size=self.packet_size if(self.packet_size > 0) {
+
+                if (from_client) {
+                    context.server_cid_len = self.long_header.dest_conn_id_len;
+                    context.client_cid_len = self.long_header.src_conn_id_len;
+
+                    # This is the first INITIAL packet we attempt to decrypt and it is
+                    # coming from the client. Use its destination connection ID for
+                    # decryption purposes.
+                    if (!context.initial_destination_conn_id) {
+                        context.initial_destination_conn_id = self.long_header.dest_conn_id;
+                    }
+
+                    # This means that here, we can try to decrypt the initial packet!
+                    # All data is accessible via the `long_header` unit
+                    self.decrypted_data = decrypt_crypto_payload(
+                        self.long_header.version,
+                        self.packet_data,
+                        *context.initial_destination_conn_id,
+                        self.long_header.encrypted_offset,
+                        self.long_header.payload_length,
+                        from_client
+                    );
+                } else {
+                    context.server_cid_len = self.long_header.src_conn_id_len;
+                    context.client_cid_len = self.long_header.dest_conn_id_len;
+
+                    self.decrypted_data = decrypt_crypto_payload(
+                        self.long_header.version,
+                        self.packet_data,
+                        *context.initial_destination_conn_id,
+                        self.long_header.encrypted_offset,
+                        self.long_header.payload_length,
+                        from_client
+                    );
+                }
+
+                # We attempted decryption, but it failed. Just reject the
+                # input and assume Zeek will disable the analyzer for this
+                # connection.
+                if (|self.decrypted_data| == 0)
+                    throw "decryption failed";
+
+                # We were able to decrypt the INITIAL packet. Confirm QUIC!
+                spicy::accept_input();
+            }
+
+            # If this packet has a SHORT header, consume until &eod, there's nothing
+            # we can do with it anyhow, but only if fixed_bit == 1.
+            : ShortPacketPayload if(self.first_byte.header_form == HeaderForm::SHORT);
+
+            # If this was packet with a long header and decrypted data exists, attempt
+            # to parse the plain QUIC frames from it.
+            frames: Frame(self.long_header, from_client, self.crypto, self.crypto_sink)[] &parse-from=self.decrypted_data if(self.first_byte.header_form == HeaderForm::LONG && |self.decrypted_data| > 0);
+        }
+        False -> {
+            # Consume the packet if fixed_bit is not 1. Basically discard it.
+            #
+            # # TODO: Raise QUIC::discarded_packet() when this happens.
+            : skip bytes &eod;
         }
     };
-
-    : void {
-        if (self?.long_header && can_decrypt(self.long_header, context, self.crypto))
-        # If we have parsed an initial packet that we can decrypt the payload,
-        # determine the size to store into a buffer.
-        self.packet_size = self.offset();
-    }
-
-    # Buffer the whole packet if we determined we have a chance to decrypt.
-    packet_data: bytes &parse-at=self.start &size=self.packet_size if(self.packet_size > 0) {
-
-        if (from_client) {
-            context.server_cid_len = self.long_header.dest_conn_id_len;
-            context.client_cid_len = self.long_header.src_conn_id_len;
-
-            # This is the first INITIAL packet we attempt to decrypt and it is
-            # coming from the client. Use its destination connection ID for
-            # decryption purposes.
-            if (!context.initial_destination_conn_id) {
-                context.initial_destination_conn_id = self.long_header.dest_conn_id;
-            }
-
-            # This means that here, we can try to decrypt the initial packet!
-            # All data is accessible via the `long_header` unit
-            self.decrypted_data = decrypt_crypto_payload(
-                self.long_header.version,
-                self.packet_data,
-                *context.initial_destination_conn_id,
-                self.long_header.encrypted_offset,
-                self.long_header.payload_length,
-                from_client
-            );
-        } else {
-            context.server_cid_len = self.long_header.src_conn_id_len;
-            context.client_cid_len = self.long_header.dest_conn_id_len;
-
-            self.decrypted_data = decrypt_crypto_payload(
-                self.long_header.version,
-                self.packet_data,
-                *context.initial_destination_conn_id,
-                self.long_header.encrypted_offset,
-                self.long_header.payload_length,
-                from_client
-            );
-        }
-
-        # We attempted decryption, but it failed. Just reject the
-        # input and assume Zeek will disable the analyzer for this
-        # connection.
-        if (|self.decrypted_data| == 0)
-            throw "decryption failed";
-
-        # We were able to decrypt the INITIAL packet. Confirm QUIC!
-        spicy::accept_input();
-    }
-
-    # If this packet has a SHORT header, consume until &eod, there's nothing
-    # we can do with it anyhow.
-    : ShortPacketPayload if(self.first_byte.header_form == HeaderForm::SHORT);
-
-    # If this was packet with a long header and decrypted data exists, attempt
-    # to parse the plain QUIC frames from it.
-    frames: Frame(self.long_header, from_client, self.crypto, self.crypto_sink)[] &parse-from=self.decrypted_data if(self.first_byte.header_form == HeaderForm::LONG && |self.decrypted_data| > 0);
 };
 
 ##############
diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/conn.log.cut
new file mode 100644
index 0000000000..46d72b1541
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/conn.log.cut
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	history	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/quic.log
new file mode 100644
index 0000000000..10648c9e82
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/quic.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	quic
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	765b:b77b:dad1:7e73:56f9:5a0f:52a3:f4f	39264	725f:1f71:525f:a3b:525f:3673:525f:3673	443	1	ceef7990f5bb4071	1e6dc7	eeef7990f5bb4071	tr6.snapchat.com	h3	IIISZiiiiishIH
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/ssl.log b/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/ssl.log
new file mode 100644
index 0000000000..b3df132751
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.39264-rand/ssl.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	765b:b77b:dad1:7e73:56f9:5a0f:52a3:f4f	39264	725f:1f71:525f:a3b:525f:3673:525f:3673	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	tr6.snapchat.com	T	-	-	F	Cs	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/quic/quic-39264-rand.pcap b/testing/btest/Traces/quic/quic-39264-rand.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0a639199a2a6c980360e3815825c15d17624fac1
GIT binary patch
literal 11755
zcmeHtRcsyW(&aX@w;5w*h%t7|%*@Qp%osDq%p5Z_Gcz+Y#Euzbp7{QAXEgu059i^`
z!${N8Qfo`CUcLIOT3z++n(wRq0SW*I{QG!+2LM3+{NP2IH;ak}1t3BI{slHc?_swn
zC)ASyJc8g2J#c|U@MUB^7tJQm)fpd0l}8PrLLN}oL6^W@K^K-&L6_C>1F3o-ZQ#pU
z!rg!F2m(EM;U06>#%B+PZ#~2(0yqqnIXR~6&tcoVH)fN;YJ?SLv8kYkwu?IQE#-=)
zPKb){;bfcj<(7&NCxFx)F4cgBJ@qSpBad7_V7L}I&6C}hlG7Bl;C`4!Z>}2;JEnR<
zGsA|{myn&#upWr&mh*oU6On`<M`jS3P7~w_Wk1*Ic4F}idOw<zq;0V$U|-KH5){Ek
zch25XfEb`q95~|!$t>&jOp*_g#HXXdoBOINsc3!I#)z%t1QNosUt<nHT3==pEn$AX
zgsh_%i4gei4aHgG7@NEqLS5bEXfp}dDtkq9afo-?_L2dX7{`22UJl3Bq~{0go$#=X
zxH>~?Q)FxTc7v?%p9N#`ZpVd>s((_R&G>UBsSAVa9)02@Dt+0gOe$oDoXnke)@6Lp
zyP#utq2`V7UIE$#){v~q=#UF^#RLaL(5efXB<Bnql0)+6=lV9@yvPKwfH_G9Xx|Xa
zV;PMZa%kfpUnrI5P6jO(CfrrTzv$n*2EB^c!uYKnI11c!G2UrvL-74#NwZTB;&8Ih
zi({rr4W2j~A3WU(!v4%O;Sp8qgHmtaX?zbFmoL-dQzPVmQhwq8j8(8-GO-!26iB-J
z8^AgCOJbm$HZxb_Xqv`y6mrik^8QABv(s8)UC_6m5o5qZKk{q0xaJW5&nx50&Wwuz
zP0@ay?S;0)+#f<Kng!R<E~;1F8jvCNRT|-Lt;UFB7$Hr^?Ui_%@_xhL*0M;QNJASq
zpHwWa%l9u1LVQT7Wk94Hh+~}B*NU-o(w9?{T;NvtFX~Ci;+jng+6Un~iyPV<!-qq&
z7j}T;Hl16iiI#}&=U2!Sw{5wG1JIiKBp$OtLSzMFR*vXKT3v>yBpH6q89rM_P?6J+
zAhXjt#W0YZLy@f!2i(R)h=p|e%0u97RBHHzXLm`T@-?jxnFrpSiqgqFltF$)vLkUR
zMwNWCpH_5To!Va9kZBhF1cfKomT(v8dnsqTBhBFbn1P+es1(S?V$SS2LxM+FUrwmB
z^SmP)awd`NsS&WirsOS5Gd@U_tz+KkIcSNrJrI_Emaa}Gb@fw}bB?-HlJb#&TZUbT
zBu%$U{zV3?_Q0J&cEAeYvVIjX^9B9*{z2lwReA3Qfk0eOC4r`kU)?)DGG%N=0Gkzy
zLg8Ru)|cX$*M<s31!R=tF0>qyhY8ca$7`dsFyYsVDf%%p1=e@*0&D3N>XU6glFJ$#
zCy^k0M@7cXc4I+Y#*FkTBD41iFwNg=&V<+;#I775694vy|9}2)N4c1P#vLWor~a?G
zqmU#0kxC!sYrl}bu`&8t?(TWuFlz}ntWz7z7TWiOad;)EN@lk`<5nOb9mLU6LjfM>
z2qi}5iAYhnzWLye^d=vc5j#D0t(`y<tK&h%M}3b;acW}HDs0wSRpX=N)K?m>U@(vD
zSZ^zRnj~oVa$DpF%2yiT`I!%ryAuP8X#!W?P^~QqP~B0TI_x)}G7n^U+`+k^uIfT>
zoX{o8HGnIf@aY+2U{3ErZXZ)mPS;+UWCrhUI#VYD)VjZCantwhZTm%mev(1Bv}D2P
z(;iyn84|bl81}Mpv39p$_*5G~WowvrE0>>_y+>{UYrH)ez|&A)YD6}nVOBt}HuQc`
zR``S1&#TVY3SzNlO-b&x;wL@GNY%OwV!P-&HE|yVFPDc`fr5qV?seKDjPF<vL0W~y
z!oYD=5K)AI1y+lr7bY6;h_DE#Dyo&QAdBOmMmKYBIh(=n4QYw;d0H8veCLY@{h@+Y
zkZ-A_x*h-l5x?K6xT*yrB}B~JRb=+?2N{bp5K<^SYBgr@Hl`Mb@b?Y6fd@u{{E9K}
zv%Axvln)V^l{uHZOI4glwov>ooVdCgK{t40*NJ~WttL%bWJoDniHk%yvWU3**33B|
zsel?(TnSf3ggYzdv|i?Zx9M_f9K`?5@xY<eFC@9vli5==ve0$R8Cg>w-iPDG>h#tf
z>!Nj+o4e-JwBZ%93({wPi&@?B@eC)W&Y5t=V2XUdj9A#StG_gXGkKTyWvXep88ZBi
z{P$z#Z)i*XKBwNObJ}%icSCd=dUbOGW9P*_qZ&Hk(UpsQwJ^z|P82CDLNTnbU9%>c
zGC9UAj{{CfmuwqTc0b_sGcv!h3Y08qf%VT3zKediSKuRM$Qt&y-6By_;EB{di&%J8
zRXwhhp)5IT(zY3@rfUeKftZ$I7f*|(hOkvCy12c*B|IZT_z>PRvjClSf-oC|SKR{H
zgRs?tkiUPW=)e)do3B=)4O)iFxBeAFlP~(HE8N?C!TTAYM|pHM_l653qi!-HAv;~%
z(LdODI2?DH2<lqdHs^b#LhJCG^0snCWW@>7ZW1GwPkL(*P#1p-?$C9HS6xhbZ93L{
zzKL5ufJLL}VWNo^*u-H=O~mpace#^V$*`4Je$#AEe6CG?)eE{8*tMQE%TL5Z8@z&6
zP^4e~QEmI~|B^M3OcrepWtBeD7qGOJFUsMFNacBa;l<Z6*|-*3N`KJ>!ag*#HCcy?
zf699s#fPYXD)%+%5sw-ex+_Fur#0i*2BR0Zh+`FK?<^q8nLvU1Mi`(<J~3BVl!?v4
zP7c{`zCEkS;!f29>n^tXyynQ5^m_1`K12&$p)S0r5~UI7A$^tLK8<WkXowbG4d`(+
zD}Kf%A(-zzeBq7p(x$ZCPtO59uK4?gmw~MinEpP0%fF!S<bpTAfg@0}>{8|S6rkTv
zf%$c~xzl8hH5h<UacTTh@oN;{!Dd0WLypjUR$hHi>QBrYZ^ZJVyMg!;KXCZvEGGDW
z)sFK2kUNsqO#EMSM*(f?L0OL<i`+=-;MSa`=Ivr4F%p{<Pn*4Bvh?>~)HJVdhV#mc
z=N6=!erq4L4qY}uRfAe3M@`E;C!m@>!3{r|19*^P$O!-yTPX9rpIg$%D*EIeQTvri
zWT_txA0Fzl*?`q{it*F1^I^`i;FaVMH^1EbVk-{RH0VuY+LCQ6U$yl&4(tVp>n*t*
zLrEVH#`Z>j(e9_wLU1ieUL)4HsMMQJ%nzZ;z!5kgk=~>(&y67`8$4l*IqJ!`nQkzx
z>mYBN_Hi8cP$OOUQmiv}?MJE&bMz+=J4lKEf#}U<z5o<L7}z>dahFT{iEk{L>EdT;
z=Pk#(^w%LYc(@9Eh7A-E&{D__{22u}U?@pX+42rJ`dUCYH!Qyfa=Qp_!-FEU*!1)m
zebC?et1ks|@)p-h4Q2i7VNhE**Qi@Br6#y?dZi;wT(nxyB?&I$)8ADEPR81tap&|0
zNUvQO=mrFba`grl8j=-@Qf&iAn26)}XT!HWz4G2CIP^{?%^Oj5nlEB7UNgyZK8?vw
zJ|9oUd6)o{-1q~ZUCrzkfkwJFn~y}QFqFYN1IzHsai?VYQrqZ_P`?g}K_23hR>@X$
zA&V1HD12s=bli)Cl7z6Pc5JX|Ga<lBe7~Evdb;Z!-hJXh72BQBv{>WA|3Ya&+VG$=
zaNsB>{g~{A*89cb%d58}@%|$wWPiSoSC`Q*kgl=)uyU3_w1&im6!y2f1aLHnU{i%`
zUVP;ZnM0S}g*8BuUa_Utro84zX1u#B^SA6EHKbu-bBBpRi{Uk#sNVh*77K_>ve~}|
zuJX8x`aXMlkfL`H!MWK@hwVNn#~`lM1tp4tkNCjugV0=lCg@S=kuAh}5e&Hwc{lA=
z3qKM?z>L8q^E0NRaic5=Kd8(|YZmNWcaG?Tv$CA%1L6MvugCshdIKM|qxv-{!2Hic
zf8f7*>i_Dm|8&+LQkaq1{(C3=-#cxPwp6`8*Y*9YcKm3lq0j$kcMagfFtb9G%e>Kl
zj||lC-0-iCeeg=3&EWVT&b$3*h}%g2Wy}Aan75ivI2%r(VOw=8W)9C~{Zly3Emrgg
zG4<pBu9p9*_|IO#-%<>|%q{mHh=tnbX{*a2)!4x#!EaeoDgv6gyPqnWbeJd~)$E+;
z0-RO)cToJK^DI!RJ?D)a^10aQ5P@<<eXe8rID@V2k2=L2LEyYrnBwPRvBGa_%;(In
z$8=>*oKgBw=?X(>!)1nQbJ2#XJ#`)W(<UIbUsOEqTbiLgDVFWOoB;i0Zlj{crH+fA
zE$yv7=?T4)=;`o`&F~tBg{a44vv;TGiZOUF`vZcH;HA(?=jZ1%moI{1N=1mGxLh|*
z(8J9d+zY^kjqfRJoPUg6Ix6PH<Oy61v(tVvRVeI!yl;C+P6*K18B|&ZyBm2QRvCkD
zs0BqHjT$AK^+YC0L$!I2=kx<)$?us)Hi}qq3l7PL@*{V!A_eX$=n}X}KAd4Qd!^D|
zDvg(R0g_yQm7{Z>WLg!4LZp%;ChS+F{)Q}^%%#?(+;A!PC1xnNm<Q+OL%NX+ra0B>
z;JN3Gr6Ckb21sP92Z}|Lb#sw!c)VNf<4)(8r?{}6!HYew1WpN6_>Lc<iHeANwC6#6
zkKVxctXs6ZsL>>I&<-*ZA<yW&t{#GAKrl>>vk`kjv8Jg(_(s`nfEzc2sXTce>1i}z
zVn0(aOqcNxPYlJotwVRkLeSBXY(5R{DinF6R!1VHL(XwMBul)L=&z@dkmUv=s&1L2
zNYgEDk6KJYTsx`56ipH#xZ3Ht-&eMonUP7*tB5sN?0KP_9JyIi8)ZekO!H-v0}?TP
zCg&tkuSY)4%FzUNq`mGSN^yjBdaVuaeMe%k!BQU<_=X&TPe>q_w$xFh3;(F*zZ~MX
z`2BA9XyW<&xxSWTDap~@gqj7edoh^iT;i3C%GAv;kO?M8-evsg0;@yr9#wiKhAoGt
zm-A`~RU?>Y+Vh;1k|V>GrzBgFM-QdZSPOdfd}0?P%oi3AOZJNHd|#2u^YU((CQLxE
zwO~GtD1?2-KDo60(nVvBPPnAnS#brDVSe7tLE87e>8HD3b=&5azngj6JV@S_fh$&#
zji8s8OjPzY7Bw*x&VT{d1K}m*Id$^bm$)wLlCyXAvl?0WU2WDhmaC0VzL6Ueo)gD6
z#I#K-8G<q7X0ZLIG*LYD3US+VVcoedik@3f(5lz(;1tP89E_)=l-YD<$bQ{cn+;eK
z;tFRKiB@aB@i!mgHM=sv2rFaxM8RsVQ=`vVMz9lO-myAVH&LK4kihXCTHM;gDs(+P
zGHu7BUB3FjQ9U-3kGsjDeG-@*m|Cm#F1CJ2N!T>#3#r<inN2UnpH^)inTf2M3Ece_
z%9ncI)MopDQetCy7)pk*<gl0jOl^qyH5w*9X4<rmH-!ghY~vL$-nTrN@z|I|1HJ3v
zh+r9_F89{I1~Lyr=xF{`9G0aeaO52^c|W{ux3fQ0TJpGJsHD(2ViU1>>SW~BI$r@g
zBIi-JC#D1r&0d*hg3L{LkMoLhIj$RwQcCR9XhGxCRuE%=!7M5b?lUgS3r5=aX;taO
zWah73Eslfy8MGiwwP_1S=V1n50}y_O5+#IddQ+JZ2+PlERs)~p-cQ+K&@9yjf&KZ7
z)#@Qxc*Vf(DT3-xi!=<!JQHguH;tv<WL~3}vso|J!dAV(_@;@SAMR-Q{Li>!R($WD
z&j-l=Y0E-wl7y%2UC6NKJN*<p#xSkxye6VLb&6t5q(0ew*B5x#Js}e`1iS}XKLS6$
zcc|Fi>ox5qkmY#%uFK=W*NlCIces69+Z}Sum6)2iIgEUh@}nXrpU(I4Mo8D@_YF6Z
zXLg?7o~QCbQ8&2}hmfO)X2-*(f)CY9_HWH`9BhfRE)x}Uj#H%-r06Z_@fBPBy)ule
zI7O{Rg%9n5KEiOrL#o!X!l=qWS$(M7!eKVqC%pb*$7t@<gTkbWy9uGq_aj1XW$}IM
z{xw2ZqVv*{=BPP4f0#>_W8p;KDcby|d;%@jT}q&AQdv05EMltYcLlNDMy!+Em`$37
z`*_is;N{l6J4*?lE@PSqVBPff)yIDJL0(JT6lFI&7XRW`ix`tV39{>kc(xSAwc^Ty
zr`g)2ql}op>`UH}i|!DFh#;Q&=idzLgk9;g%?Pbu!itfgB2Ltb7M(TCO0ux~iZ`7e
z%iz>~Gib4|3HFjy1yLn{FMjYkxut}BF&z>lPFDB`S(#7oY9~yloETh32e<_`(1rF1
z(o>kh0(ms{Vl1bJk8NydbFXFcw0>$lvExl8u-ei(Si}?Cnkk%C^TjI~?7qJZjZvmy
z&E)3ysLx>;K$e!(dSBmzQxuCG#*7i5ZqCttru<FN7OmK8ZQx3B$kM=cInG`KuvlD!
zMll^gCBARTFa9K9oJFr4ErON3h@%g^r{l8XV%s%V<^htCY&<JPGEt!!MZNDxV~92O
z_*}Q#S2CV~#<v-D#54VtN7($5ny|!RSthkDMj<faoM?IIm#WWE5*V~px2h9-y@Nm;
zW<{;sgH$jWc7_K5;!vr1I@)_^Uomd*O(too{%BqE<jmd~@<qg|IDV;1p<2PP#id@@
zv%*;?%3=`qfGu7h1QRFD9`zR|Yr3nElOwxigtTKn>3*&m@8RnzJ}oMs0L);JB<mru
zjH~ZZi_Jw~(tyZyaBzjMLtu`VQN9aG3AS=ahu{Hk|9K&+Ij088-v_~!s??34>5N@_
zX3wN}B?ccf@UB}t;|)CMFvaKOH*R+N_it;%wc$AGGF8u0Wck*C#@G|jK@>nPR6i$U
zoXH99yB&Vjfqkj4a@72visM3e2rDU>BGvL496&-QQRxCU-KruA8<MX<^fbLDU-|SF
z^2?!8?@2m;8J55g;6IhaIMm|jXz{@7f>RENPi*uUTR_vP3PtV%`9M>NhDa%>IfbE@
z2hCDVQx<GJqs(><cGIr3kY~Rxr`q=|c?|8_P}{h4ZpGNfM+foeZLp;YatmSwciFf}
zPMD<|f&XBzwLV9fScB;mE+U@(ieEV_K7tTfb3ej_NXoC`P||@wXKHqKwr4}EjxA46
z=zqjrIFj`)Yk{ro(@yM-(o02b{Df6Uc2`#C(6!t`|Esf$zO*g9Z|zOu87GJ}V)m+T
zE-o(w5sH+Mb*RjaEQhzD(QF|}8?_2I7qtT0D}0l-CJBC4tp57YtUMK;lGoamX=d*1
zn2!Ao+yLy{nA%<W>HP}|v!agj==*u=Ahuwl$YqYj(>J--c$Lw5Cc96;O_~@i4XG?1
zX``sOcntdyWD=NnY`A!6mbI3kFBjT)%Ece<$oTrtxMPIQ*k9dIFmgn{;|BHOu-gHP
zwwuP+@tfUV&#tHBgm6L51KCZ`)!+*AQzg<b=g#wru?F-4+oo7<99e6#V-%g4?~1S%
zdB}aa-@Ozc`W3IOebCsHB0BYxce)|M*_MHcLTM<xVA|(>WPq)wo7U(K^Y}{F;`(Q^
zQdDowl#oSDYCXX}|Af^}eu44WIKUb(*w~kw@!5pHqT%CDSDW3z<RACY7W%$HbOhoJ
zG-smEp{5=M3^>erVT;m!2~xf4EvgJyO>lMIAH^>kPReD&P#V>pA)v3-ElP@<V_I%U
z2?Dux?pa@qB}9VBW{ZI+bI}}y6sAfC6=#X@BdjAV5@8fBu}#rabBuroBDINoEES1m
z3JgT62AW>JAp^7sLet;N-4^nOS!N_o;yHoFQzde8fN%4(?}O$hdY5%wZe2uhJJWqB
zJkhVLIDCQ8<*E=OvWW?k%XCYT__EN>uC9pMuaT(zY>x~xI~jdlsQqeQzGJeY_pGe-
zi=~&(l9iWH7+xXR$yb?o_B@=bXU(fvAioS;eYtI`T{mTAWo^}ROf>xkdQ;%0f_pDw
z0CT;fN&5Yn(B_W~GCU~}X3g-Q>J{-R$(ZpKjIpl)OgbX=d+>#DFnj4>jg{Noi)9D7
zj*&c9hvY~4XgY*sXYRkZcT#1wa&$=Q3M}!^kH*Hl@BoR<hgr#9TKyuE@z|q2fi!Hx
z+v_PjFtpGy2U~=ltd<c#q6XI9-!ERoVSX`VN};DC>cPLH!#<^hnKYkO`+qM3(T}?;
z;g}zN65$aAx=j}U#9R^jsz`I<3Fj|0YtG+pL;D%sM!(>6kh^Ucz{HP0)Vdxl9Y}OU
zXjUBn8egSSaG6`epbv(vRgJjb29^s%eSvz$xZ`nBO5iw@Kg;I30PzLEObcv=!UI=C
zycd=>dfa&^RpHv=qJ{xd(Ql2GJcJ_RI=B%<i7GjL!PD5gHb@d*wcjxDF9xe8#80Ja
zn-6UG^<`9~FfkVyl1ruh3mKHVYp!JKHs)E>!(ml-xNT6VVcf#yV&oRvwakP6xbf|1
z|KX9OWsN1Opqc9U3dPj?xFbx#S-4#eacfu*=J&lGiK|l`9Z1aySAmVIj4A2<2cg=D
zR`Hs8O&h_DbfvLekgs5Nke<mG3T<+{E0-XrbT%pYqggY*36n$)SI|mV2h;9Epan^&
z!LLW$QMWNa!KNfv{|4i}_)CKFEt04NFHzYJTuz72jC~rpReS2{e+uT)U0s$KiNU0G
z_IpyLJ__Y^`Hdi2s2~p{ko3P8QA)PgM44<geri}5sCwO4PZ1v_<a-QWaWOWzBU!Ax
zyQ#FrA-z(S>ZxG;roYZX+iCq6ZfpCN{DM8;n4;gI6h1ptDB8uoayx}}4)fM60+;hu
z>XIurCcca}{<iRp)w*O2^(k1!NXoU!pGl-&dS94`G#phIC3QcU1WufD9{mbbh3b73
z3;S^>Xr@7<&5&8$ygr;}96LOKmW=f~pI3&t@SmO?7Kyf7Tn9z2<7kMUfGd5SM{*Dy
z%Cn`kJTUKeL=N$7r5d8QasY9<*<`s6NzB+4nqNMBvA>PIz9IR+p#FWm`okTS{<z}-
zDBxfCYiA8w_4hh!(5i}R@js6QAfC6%vZ|3sEwK=D^-e-&lPgL}%UFYt+Ss4qUtKAP
zl}$hqmz8TKL%7e*0dwIynP1D13xt5%!zu7JNa+uoHB6isvN!|5g};_qu7Q{|eII9M
zeu4tF$gcbJ&9aiDQXO4xw4Xp^ds3cXVQSgngE(rV2&$t6ieFXSGeWeB6N;bA(mml<
zELwYc7632{SmJi*v-b-!8MDyuHc+E@psauB$uu=~nv)NKm2}aUc$YG+miTQfaIX|Q
zgY25@*5zyy<PE60Qmv{bp_y_yq33yeT`>G;LmvDht)%rBjb(kvhm#tVa|{J`e;1)2
zt7H_=Q|t1Iy7h~mZ*+~H_~o<OmI@jPzAt+_y3J9dlT;tE`54p!TBSbd;szyx-UvG=
zsOl_k2&p2Euk3stt2tS77Spa>Hq1{I^l^Gl_nAvko~|{^#^2(03EzfWg=wEc*fNXW
z9KNc^e*R&E5B(`}NVcUWS8aNyRVir?6=?f{f^<Z!dA8KJ6U3_B;7l@HEcwHtF-wJY
z8Hv-C+1V6-?u^KQmiE-OzCH=LaoHxXa$JTbRx<(5bk4bmV%FN8Cc-9l7U&tYYE~T_
zieLlvpb0^7L8UpJjZP%v4U%Gk@X1AH;VO!5Z;=^A(k!RN)uldpF<MK#4h&=jMtmuz
z$<LQO)@v-Gl{IpX(0fPIPlyzI1F2RQ&mw6eMwC~Dr_Fr6eak`AVb4OOl|?8J)Rc)Z
z|HTURw;=VJ#g&xI`kuGU3*x4~;W}gTqMA`g!kH2cw@g|fLi`~oVe@AS()V<AdSguO
zyQ9m6K8mid(Z!S0dIQph@QRY&)w!bfwj~2YaF#K9S?rf{iS2-ZX*TvCwvl;4=fdVd
z;eOqNjw#X~{93ah<D}V>EYKyfA3<M>0QQfJrW|$je>l$n+C2LwM^pGPvspr{TokbA
znu+>AG|PwTSU|rZvC3th{*{tvZ5i_Z5*tjukn?kcmdH<>*W}hP(+arTZ(C_Y%z(&s
zxr$$m9VOE(Nh(Nb7`5Q-C<*Z}K)Kcu{cv3MFa?=^Z~hfzSkYBIu#~RuO=6-fpxwB8
zY_x!{tlH<*^?|wHk|}d?G=zn@ZuAv@$=S?(XW$vJJR2^Y^psep{bme}ja)7-n@o#(
ziAC~ViERZjin4(j$ZFdDssJ?YFPb_CYj?d!xAaKKPa(r2K~U#gPd>_Vy_1Vo2N8aQ
zvy9#bZOFIfEWOdsgc<UDx_t#BfAtr+@!1iu;2B`VnCj#u$>GN5DSJtOwLj0@9moY4
z7PFBT=1sIKd^~ty@6JpZm7E@9;+y^4Uq5cWwnQONB^7HFSE-=qB3Vz2x2h6(EFaKF
z!1JhXLfM{ubABbCTM8K;e~19{5Qwcr#vv6i^Q3g`iB1t9!UVAM+T8r^|BB7jt(pAk
zP@!l2#-i2RG*}i1SCvKu^ix9&Nk;M|B4k3r{TVRzmj`VQP;wey@qWo(e`9ex3<{}j
z4VYPevqzx3iv1m!rD4)|79o<jfJpjk38^mhqHX(<Hlmi^riwp{;xY`21TV<}x){_d
z$Vp69e{v<PWx_L~`c;sx)u4wB+)LLMJY0-s;4YQlTwVs<mILXlfG(ed{JZ0+7Wg>f
zd7E#jmR%7z_eB@Yr@cmIoIIx@V?0s~*PA4e80mRRoNjF42Nh_IXeIOKz*M58SG$=^
z%*^v<$)-YQACUN<yKX?&mSDDK$5v38k>l~fx+PH~uWt2-t@<~1axMRQa*MN<X6{S8
zd2W+5n2yH4DQ2&wC;Q@zPeBAI{qz)fk2;72&Kx{S#y4~~60eN<pNCO?jP%R!4gV_2
zJ0Ntz^Z2nXveF&abD%31zUaTRq=g`(wpK~qHQBR(?|is{X<PG9PHN$>c6Fen{p@;R
zxiRm>;Kg`WRi`)>#5mIL%%~(}ofiJN3bAdge0nJ(4PF<n%67CD^#twpJPoBMpGaU)
z1Dt>dP+8!gT0IRr#N%m!+8OFU6dPos*&z{urX?H`1G=&CwrV@RMmk`2tKRTtM%P|y
z9hWsImd2}?x8mbFgUK_qyL8!rluk1Ed3+JPODy>Lc%ljs?>pPFDQ8!GT3Pu_7Etut
zCPetR$EvgBnL0djm%s?r?C?nUxuf-0Yr9<>aiMj$aEqB!CJnc2(OZpDlui|}p*T^O
zULT*rEmS|+3cQDqX|RPlT#z4dt+4aBFJHNG5*|A`jL&;!+LUtfLv_<=wPYI?)uBGa
zppztXU?ERGgIOpKd!zO^eu~HUe!@=px&z4*RY6pwu<EdUSt5<RywxmN#K5Si?Smi5
zT|MQz&{V2Bck-E)2Gt<BEX;NtV*SxrHzRgnkg=-ib6C$dFzTvv9T(QwPy|<4qB8=H
zQJmG^=LgqV#$kgIIUcou{h`x}{Oqp}cdYy4j&Xmc_&)I0!95VIzc;uCqV*`P{cmGI
z-*6IM2|9$DpUwZ4CV`O#LqJFn@@38IId@a`Rdn;x8_KFcRJwglZ<%?Vi%c^S!3xun
z6on0{mopUtX{J@lgXPZ*LCdrjHo0^}7?i&qQ`)8}pD@YL=cd*&C0<E#xqLWhb@9Q+
zUce(zZ^{1r43bC<Yo&k*D%>+DuVsw0rCrvP)LK3GAqCSS@{wgex`yQ9Pj;VD(I1N_
zR65VTnHWnL4ejcP&@B$h!SDg)ZtmSrFSkIdYiNWNX&JDIqSb)~$wH!euO1fI8B)(=
zq6(ODKVdMFe`xTl=bPTMeVa&62EDt}UukB~);*qNtfkzJVEOqdqk|JJ9jFY3a8RE+
z6$lMBG;%83a(8_4je9HiHYeW+e43Oab7stUQ|>3yr%>%&S5}q*Mer_V38!Vzj!G`u
z<BA2&`~r?npEnY!VypR?yv&)86~dGQ18DsD41D0PMH_(h?-gwTQhiU&KSkSuW6*oY
zR|JlohDyF>HkyqNVG$aWp7hNRre7*xfR;ZjANUVU0e_Pzpw3m}4-;xs(?TA9OWsLQ
zgK7~$c!@YN2Ij1oIacBszDYbq58DqIU_nfDw==BKdlaa%jDFuSuW#$VfJnBCZ}osd
z(fezj8HLn%D&Z}IlG9e}S{-3Pp?KKlRufYJy~4$t$kVcRZ1JYg`N;jkjbW>tL$9jo
z=i_uY-VY%Ws$c-EKO#QxAB2$qO(EoE3F?1@^k`G-Q!rdr3J{o5SIBxJOOg9jZJ^V<
zl+}N5$?1XtwEysY;I9b;p!j<U1fU4U(EoP=y$TPQMS7R1jfOe|@CdEe?kPhHS)qQA
zS%iTBu>NG~2mXVw-M=Yp7pC$f7Vd^tyT|-XJ=i9*Ji#gv5;YtgbA66rNM15vX+XBM
z6O8ao^|;7a`5u&<vn9TN`tmx<!zF)4fFogD;&J9MuQ_}4vz^t~ZDpRNA)0b;n4QBK
z9z~Y$XRa{SdC>`Nsce04HB`l0I8Stj{S_#??^P8yGk*mYyAA>R%2u`z7m?L~FMdKN
z6VVW5C{|Q+UkA)h@e$4D^?rvF>fQLL$kJ00RVI3zUdzcml)T-n<v;_gKY>$GNA{2X
zck=6v-CVcan2vYqurQY50Yf<l6md`Kw=waAkM~p>^Uo{_L$Tt&7bRiH0wQP5IR&Gp
zQDQk4rn2tW0^$hP2ifE{7(nOG>VM!rL;&UAi~!1_7rB3v1%VP27(=619Hs)|R|4?d
zZG#h0)WA(X*jBl~0qTF4KJXtxfaGt60ExrVM+i82$zvH=3h}Lk_hB1f`qEcAjP6+T
GwEPdz3U`PA

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/quic/39264-rand.zeek b/testing/btest/scripts/base/protocols/quic/39264-rand.zeek
new file mode 100644
index 0000000000..7c0258ea0f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/quic/39264-rand.zeek
@@ -0,0 +1,9 @@
+# @TEST-DOC: Regression test for #4847, QUIC packets with fixed_bit 0 are discarded.
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -r $TRACES/quic/quic-39264-rand.pcap base/protocols/quic
+# @TEST-EXEC: test ! -f analyzer.log || cat analyzer.log >&2
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log