From b9afc01d91a9948c222cca71551a75faa4f4d325 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 3 Mar 2016 15:52:34 -0500
Subject: [PATCH] Fixed a problem with file names and path names containing
 nulls.

This would come up when a string is UTF-16 containing characters
outside of straight ASCII.  The file analysis framework uses
CheckString to create file IDs which can't cope with the NULL bytes.
---
 scripts/base/protocols/smb/files.bro | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro
index e58e124307..ba11629daa 100644
--- a/scripts/base/protocols/smb/files.bro
+++ b/scripts/base/protocols/smb/files.bro
@@ -25,8 +25,11 @@ function get_file_handle(c: connection, is_orig: bool): string
 	local file_name = current_file?$name ? current_file$name : "";
 	# Include last_mod time if available because if a file has been modified it
 	# should be considered a new file.
-	local last_mod  = current_file?$times ? current_file$times$modified : double_to_time(0.0);
-	return cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod);
+	local last_mod  = cat(current_file?$times ? current_file$times$modified : double_to_time(0.0));
+	# TODO: This is doing hexdump to avoid problems due to file analysis handling
+	#       using CheckString which is not immune to encapsulated null bytes.
+	#       This needs to be fixed lower in the file analysis code later.
+	return hexdump(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod));
 	}
 
 function describe_file(f: fa_file): string