Merge remote-tracking branch 'origin/topic/vlad/rdp_bluekeep'

* origin/topic/vlad/rdp_bluekeep:
  RDP: Add weird if specification violated for max channels allowed.

CHANGES

@@ -1,4 +1,8 @@
 
+2.6-354 | 2019-05-29 09:46:19 -0700
+
+  * Add weird: "RDP_channels_requested_exceeds_max" (Vlad Grigorescu)
+
 2.6-352 | 2019-05-28 17:57:36 -0700
 
   * Reduce data copying in Broker message processing (Jon Siwek, Corelight)

NEWS

@@ -80,7 +80,8 @@ New Functionality
   also allowed when specifying patterns used in signature files.
 
 - Add a new "client_channels" field to rdp.log based on data parsed from
-  the Client Network Data (TS_UD_CS_NET) packet.
+  the Client Network Data (TS_UD_CS_NET) packet.  The channel list is also
+  available in a new event, "rdp_client_network_data".
 
 Changed Functionality
 ---------------------

VERSION

@@ -1 +1 @@
-2.6-352
+2.6-354

doc

@@ -1 +1 @@
-Subproject commit 6473776663085c9a72c875d3df6d3c3db05cf0e3
+Subproject commit 4415d43650f0dd2039f639c814a95d10deac8422

scripts/base/protocols/rdp/main.zeek

@@ -201,6 +201,9 @@ event rdp_client_network_data(c: connection, channels: ClientChannelList)
 	for ( i in channels )
 		# Remove the NULs at the end
 		c$rdp$client_channels[i] = gsub(channels[i]$name, /\x00+$/, "");
+
+	if ( |channels| > 31 )
+		Reporter::conn_weird("RDP_channels_requested_exceeds_max", c, fmt("%s", |channels|));
 	}
 
 event rdp_gcc_server_create_response(c: connection, result: count) &priority=5