From 96f7226b52189683f7055ea83e27617a438d8e24 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 4 Jun 2020 10:26:23 -0700
Subject: [PATCH] GH-999: Stop formatting DHCP Client ID Hardware Type 0 as MAC

For `DHCP::ClientID$hwtype` fields equal to 0, the `hwaddr` field is
no longer misformatted as a MAC and instead just contains the raw bytes
seen in the DHCP Client ID Option.
---
 src/analyzer/protocol/dhcp/dhcp-options.pac     |  11 ++++++++++-
 .../scripts.base.protocols.dhcp.hw-type0/out    |   1 +
 testing/btest/Traces/dhcp/hw-type0.pcap         | Bin 0 -> 658 bytes
 .../scripts/base/protocols/dhcp/hw-type0.zeek   |  16 ++++++++++++++++
 4 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dhcp.hw-type0/out
 create mode 100644 testing/btest/Traces/dhcp/hw-type0.pcap
 create mode 100644 testing/btest/scripts/base/protocols/dhcp/hw-type0.zeek

diff --git a/src/analyzer/protocol/dhcp/dhcp-options.pac b/src/analyzer/protocol/dhcp/dhcp-options.pac
index 0560f3cdc9..b572f297b3 100644
--- a/src/analyzer/protocol/dhcp/dhcp-options.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-options.pac
@@ -627,7 +627,16 @@ refine flow DHCP_Flow += {
 		%{
 		auto client_id = make_intrusive<RecordVal>(zeek::BifType::Record::DHCP::ClientID);
 		client_id->Assign(0, val_mgr->Count(${v.client_id.hwtype}));
-		client_id->Assign(1, make_intrusive<StringVal>(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
+		IntrusivePtr<StringVal> sv;
+
+		if ( ${v.client_id.hwtype} == 0 )
+			sv = make_intrusive<StringVal>(${v.client_id.hwaddr}.length(),
+			                               (const char*)${v.client_id.hwaddr}.begin());
+		else
+			sv = make_intrusive<StringVal>(fmt_mac(${v.client_id.hwaddr}.begin(),
+			                               ${v.client_id.hwaddr}.length()));
+
+		client_id->Assign(1, std::move(sv));
 
 		${context.flow}->options->Assign(19, std::move(client_id));
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.hw-type0/out b/testing/btest/Baseline/scripts.base.protocols.dhcp.hw-type0/out
new file mode 100644
index 0000000000..041d527cdf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.hw-type0/out
@@ -0,0 +1 @@
+dhcp client_id option, [hwtype=0, hwaddr=cisco-cc00.0ac4.0000-Fa0/0]
diff --git a/testing/btest/Traces/dhcp/hw-type0.pcap b/testing/btest/Traces/dhcp/hw-type0.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c8f314f784e3c78abb7a97c89d4699ab12ced92e
GIT binary patch
literal 658
zcmca|c+)~A1{MZ5P+(wS1ai*W9P%oxXJE);g5WcZTt^rf&M<&T4hB~SrWgip28REF
z7KR5_Ffao#BZCWrGm{4|6C)!VP`_vl$V8AFh=u`(ei(1))5%T2$)=3VmP{-Sw$cpA
znZ?QZy2;4~26_gG$tHRRK%ncEXrOOk3<_Wy9;P4za}Gu}ejR4TY1;pXzV~V30|1VD
BAmac4

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dhcp/hw-type0.zeek b/testing/btest/scripts/base/protocols/dhcp/hw-type0.zeek
new file mode 100644
index 0000000000..2ac4cb8f6a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/hw-type0.zeek
@@ -0,0 +1,16 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dhcp/hw-type0.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+const ports = { 67/udp, 68/udp };
+redef likely_server_ports += { 67/udp };
+
+event zeek_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
+	}
+
+event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
+	{
+	if ( options?$client_id )
+		print "dhcp client_id option", options$client_id;
+	}