From a391367c3664ea36345bc17831a10b21b8f5b177 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2023 13:35:41 +0100 Subject: [PATCH] Do not forward more than the remaining data to downstream UDP analyzer This fixes a bug introduced in 2b9de839b0948c7de3eb5ed4a397194f96aae6b5 / GH-3080, which causes UDP padding to be sent to UDP based analyzers. Fixes GH-3205. --- src/packet_analysis/protocol/udp/UDP.cc | 2 +- .../btest/Baseline/core.udp-padding/syslog.log | 15 +++++++++++++++ .../btest/Traces/fake-syslog-with-padding.pcap | Bin 0 -> 404 bytes 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/core.udp-padding/syslog.log create mode 100644 testing/btest/Traces/fake-syslog-with-padding.pcap diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index 1200cd2f49..f1cb7b5d82 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -226,7 +226,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort())); // Forward any data through session-analysis, too. - adapter->ForwardPacket(remaining, data, is_orig, -1, ip.get(), pkt->cap_len); + adapter->ForwardPacket(std::min(len, remaining), data, is_orig, -1, ip.get(), pkt->cap_len); } bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) diff --git a/testing/btest/Baseline/core.udp-padding/syslog.log b/testing/btest/Baseline/core.udp-padding/syslog.log new file mode 100644 index 0000000000..820e9d2ba0 --- /dev/null +++ b/testing/btest/Baseline/core.udp-padding/syslog.log @@ -0,0 +1,15 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path syslog +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility severity message +#types time string addr port addr port enum string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.229.152.216 39887 192.150.187.42 514 udp UNSPECIFIED UNSPECIFIED X +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.229.152.216 39887 192.150.187.42 514 udp UNSPECIFIED UNSPECIFIED X +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.229.152.216 39887 192.150.187.42 514 udp UNSPECIFIED UNSPECIFIED X +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.229.152.216 39887 192.150.187.42 514 udp UNSPECIFIED UNSPECIFIED X +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 169.229.152.216 39887 192.150.187.42 514 udp UNSPECIFIED UNSPECIFIED X +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/fake-syslog-with-padding.pcap b/testing/btest/Traces/fake-syslog-with-padding.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8afe04eb9cff6f28ebb5cc36dd070311a603fb80 GIT binary patch literal 404 zcmca|c+)~A1{MYcU}0bca!$n@O3_`<#b5(ugRsxd{%(g-39ZZeq8~UITp1W-r|LN{ zSO~sXTKROwjRVtmYt25-#Kgeq-5r52>f5_M5Qhk}birmR<2EZKrgS&RtkXbu&0mMt zUHV|N6mgqn;N8IuGV2V`EGGPZGyt2WfZMFY3f}`jW}O9^Rk8!Gy9~i*$>TBW?)fPo FvjB68Z`%L> literal 0 HcmV?d00001