From a4d25c882870ee1517898896e02cc09a2821b623 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 18 Sep 2017 11:38:14 -0700
Subject: [PATCH] Make "in" keyword work with binary data.

This switches in from using strstr to use strnstr (implementation from
FreeBSD on systems which do not bring their own implementation).

It is especially likely that users come accross this when using the
DATA_EVENT analyzer with files that contain binary data - the test uses
exactly this case.
---
 src/Expr.cc                                   |  5 ++---
 .../.stderr                                   |  0
 .../.stdout                                   |  3 +++
 .../scripts/base/files/data_event/basic.bro   | 20 +++++++++++++++++++
 4 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr
 create mode 100644 testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
 create mode 100644 testing/btest/scripts/base/files/data_event/basic.bro

diff --git a/src/Expr.cc b/src/Expr.cc
index 9927ca52ec..bea43ff7c4 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -4351,9 +4351,8 @@ Val* InExpr::Fold(Val* v1, Val* v2) const
 		const BroString* s1 = v1->AsString();
 		const BroString* s2 = v2->AsString();
 
-		// Could do better here - either roll our own, to deal with
-		// NULs, and/or Boyer-Moore if done repeatedly.
-		return new Val(strstr(s2->CheckString(), s1->CheckString()) != 0, TYPE_BOOL);
+		// Could do better here e.g. Boyer-Moore if done repeatedly.
+		return new Val(strstr_n(s2->Len(), s2->Bytes(), s1->Len(), reinterpret_cast<const unsigned char*>(s1->CheckString())) != -1, TYPE_BOOL);
 		}
 
 	if ( v1->Type()->Tag() == TYPE_ADDR &&
diff --git a/testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
new file mode 100644
index 0000000000..ddfdf71f06
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
@@ -0,0 +1,3 @@
+Found
+Found
+Found
diff --git a/testing/btest/scripts/base/files/data_event/basic.bro b/testing/btest/scripts/base/files/data_event/basic.bro
new file mode 100644
index 0000000000..2877155ebb
--- /dev/null
+++ b/testing/btest/scripts/base/files/data_event/basic.bro
@@ -0,0 +1,20 @@
+# Just a very basic test to check if ANALYZER_DATA_EVENT works.
+# Also check if "in" works with binary data.
+# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+event stream_data(f: fa_file, data: string)
+	{
+	if ( "Windows" in data )
+		{
+		print "Found";
+		}
+	}
+
+event file_new (f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
+		[$stream_event=stream_data]);
+	}
+