From e762efc9af449c4bce878ef4acff0fb549e95453 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 1 Feb 2023 12:27:40 +0100 Subject: [PATCH 1/5] cirrus: Run tests in a Debian 11 container, too --- .cirrus.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.cirrus.yml b/.cirrus.yml index 69f2c1077e..d72dd59869 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -187,6 +187,13 @@ debian11_task: << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE +arm_debian11_task: + arm_container: + # Debian 11 EOL: June 2026 + dockerfile: ci/debian-11/Dockerfile + << : *RESOURCES_TEMPLATE + << : *CI_TEMPLATE + debian11_static_task: container: # Just use a recent/common distro to run a static compile test. @@ -527,6 +534,10 @@ container_image_manifest_docker_builder: - docker tag zeek/zeek-multiarch:amd64 zeekurity/zeek-multiarch:amd64 - ZEEK_IMAGE_REPO=zeekurity ./ci/container-images-tag-and-push.sh depends_on: + # Only push out the image if all the btests succeeded and the + # images have been built. + - arm_debian11 + - debian11 - arm64_container_image - amd64_container_image From 71bcd15d2eea0345667d7f3793ba9b3de278f527 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 1 Feb 2023 18:22:13 +0100 Subject: [PATCH 2/5] analyzer/http: Do not assume char is signed On aarch64, char is unsigned, so is_HTTP_token_char() allowed non-ASCII stuff with the high-bit set. Fixes part of #2742 --- src/analyzer/protocol/http/HTTP.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 09bff23847..caaa6fca1c 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1186,9 +1186,9 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line, const char* end_of_ return line; } -static bool is_HTTP_token_char(char c) +static bool is_HTTP_token_char(unsigned char c) { - return c > 31 && c != 127 && // CTL per RFC 2616. + return c > 31 && c < 127 && // Exclude non-ascii and DEL/CTL per RFC 2616 c != ' ' && c != '\t' && // Separators. c != '(' && c != ')' && c != '<' && c != '>' && c != '@' && c != ',' && c != ';' && c != ':' && c != '\\' && c != '"' && c != '/' && c != '[' && c != ']' && c != '?' && From c998cf697a02bb5f5e667411206eda477bd83dc0 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 2 Feb 2023 14:49:14 +0100 Subject: [PATCH 3/5] netbios_decode: use unsigned char for result The buf[i] < 3 condition in use previously allowed all chars (signed on x86) through that had the 0x80 high-bit set after reconstructing from the two bytes of the netbios name, resulting in escaped non-ascii content in the logs. Fixes more of #2742 --- src/analyzer/protocol/netbios/functions.bif | 4 ++-- testing/btest/Baseline/bifs.netbios-functions/out | 1 + testing/btest/bifs/netbios-functions.zeek | 4 +++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/netbios/functions.bif b/src/analyzer/protocol/netbios/functions.bif index f841694914..b45fc2adf0 100644 --- a/src/analyzer/protocol/netbios/functions.bif +++ b/src/analyzer/protocol/netbios/functions.bif @@ -25,7 +25,7 @@ function decode_netbios_name%(name: string%): string if ( name->Len() != 32 ) return val_mgr->EmptyString(); - char buf[16]; + unsigned char buf[16]; const u_char* s = name->Bytes(); int i, j; int length = 0; @@ -68,7 +68,7 @@ function decode_netbios_name%(name: string%): string --length; } - return zeek::make_intrusive(length, buf); + return zeek::make_intrusive(length, (const char *)buf); %} ## Converts a NetBIOS name type to its corresponding numeric value. diff --git a/testing/btest/Baseline/bifs.netbios-functions/out b/testing/btest/Baseline/bifs.netbios-functions/out index f67f434df7..74496ebc89 100644 --- a/testing/btest/Baseline/bifs.netbios-functions/out +++ b/testing/btest/Baseline/bifs.netbios-functions/out @@ -11,3 +11,4 @@ 256, 0, 256, 0, 256, 0, +0, 0, diff --git a/testing/btest/bifs/netbios-functions.zeek b/testing/btest/bifs/netbios-functions.zeek index 402c06c07f..85f9f5c296 100644 --- a/testing/btest/bifs/netbios-functions.zeek +++ b/testing/btest/bifs/netbios-functions.zeek @@ -21,7 +21,9 @@ local encoded_names = vector( "cacacacacacacacacacacacacacacaca", # empty "abcd", # invalid length "~jfdebfeebfacacacacacacacacacaaa", # invalid alphabet - "0jfdebfeebfacacacacacacacacacaaa");# invalid alphabet + "0jfdebfeebfacacacacacacacacacaaa", # invalid alphabet + "lpejldmeebfacacacacacacacacacaaa", # non-ascii stuff +); for ( i in encoded_names ) decode_name(encoded_names[i]); From 5dc54fb40ec6efa7b3955c8e6aa49c14ad3c6cc4 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 2 Feb 2023 14:53:28 +0100 Subject: [PATCH 4/5] Base64: report byte as positive integer A baseline difference between arm64 and x86 showed up. We would print a wrong character as negative value on x86 due to chars being signed by default. Force an unsigned interpretation which is also more reasonable because we'd have never indexed the base64 table with -112 -XXXXXXXXXX.XXXXXX XXXXXXXXXXX 131.243.99.154 3288 193.159.183.138 80 base64_illegal_encoding character -112 ignored by Base64 decoding F zeek - +XXXXXXXXXX.XXXXXX XXXXXXXXXXX 131.243.99.154 3288 193.159.183.138 80 base64_illegal_encoding character 144 ignored by Base64 decoding F zeek - Fixes more of #2742 --- src/Base64.cc | 8 ++++---- testing/btest/Baseline/bifs.decode_base64_errors/out | 7 +++++++ testing/btest/bifs/decode_base64_errors.zeek | 11 +++++++++++ 3 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 testing/btest/Baseline/bifs.decode_base64_errors/out create mode 100644 testing/btest/bifs/decode_base64_errors.zeek diff --git a/src/Base64.cc b/src/Base64.cc index 1cf3f1b924..b88c7dff60 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -184,17 +184,17 @@ int Base64Converter::Decode(int len, const char* data, int* pblen, char** pbuf) if ( dlen >= len ) break; - if ( data[dlen] == '=' ) + unsigned char c = (unsigned char)data[dlen]; + if ( c == '=' ) ++base64_padding; - int k = base64_table[(unsigned char)data[dlen]]; + int k = base64_table[c]; if ( k >= 0 ) base64_group[base64_group_next++] = k; else { if ( ++errored == 1 ) - IllegalEncoding( - util::fmt("character %d ignored by Base64 decoding", (int)(data[dlen]))); + IllegalEncoding(util::fmt("character %d ignored by Base64 decoding", (int)c)); } ++dlen; diff --git a/testing/btest/Baseline/bifs.decode_base64_errors/out b/testing/btest/Baseline/bifs.decode_base64_errors/out new file mode 100644 index 0000000000..6fd2476e2f --- /dev/null +++ b/testing/btest/Baseline/bifs.decode_base64_errors/out @@ -0,0 +1,7 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +error: character 94 ignored by Base64 decoding +error: error in decoding string ^#@!@##$!=== +error: character 237 ignored by Base64 decoding +error: error in decoding string ноп=== +PASS +PASS diff --git a/testing/btest/bifs/decode_base64_errors.zeek b/testing/btest/bifs/decode_base64_errors.zeek new file mode 100644 index 0000000000..0becccb09b --- /dev/null +++ b/testing/btest/bifs/decode_base64_errors.zeek @@ -0,0 +1,11 @@ +# @TEST-EXEC: zeek -b %INPUT >out 2>&1 +# @TEST-EXEC: btest-diff out + +event zeek_init() + { + local r1 = decode_base64("^#@!@##$!==="); + print |r1| > 0 ? "FAIL" : "PASS"; + + local r2 = decode_base64("\xed\xee\xef==="); + print |r2| > 0 ? "FAIL" : "PASS"; + } From bbe0a86d4a39d06e79508c33614ae692c5a9f084 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 2 Feb 2023 15:54:40 +0100 Subject: [PATCH 5/5] Bump private testsuite for char handling fixes --- testing/external/commit-hash.zeek-testing-private | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index aaaa01bdc4..317ea4eca1 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -7bbcd06c50dc5bcae3533842c302c617ac5f1852 +1398bb268de5ac6dbb4b12df2707f148bc046202