ftp: Do not base seq on number of pending commands

Previously, seq was computed as the result of |pending_commands|+1. This opened the possibility to override queued commands, as well as logging the same pending ftp reply multiple times. For example, when commands 1, 2, 3 are pending, command 1 may be dequeued, but the incoming command then receives seq 3 and overrides the already pending command 3. The second scenario happens when ftp_reply() selected command 3 as pending for logging, but is then followed by many ftp_request() events. This resulted in command 3's response being logged for every following ftp_request() over and over again. Avoid both scenarios by tracking the command sequence as an absolute counter.
2025-10-02 14:48:21 +00:00 · 2023-08-29 17:52:12 +02:00 · 2023-08-29 17:52:12 +02:00 · ce4cbac1ef
commit ce4cbac1ef
parent a5b94f04fd
4 changed files with 8 additions and 4 deletions
--- a/scripts/base/protocols/ftp/info.zeek
+++ b/scripts/base/protocols/ftp/info.zeek
@ -64,6 +64,9 @@ export {
 		## to are tracked here.
 		pending_commands:   PendingCmds;

+		## Sequence number of previous command.
+		command_seq:        count &default=0;
+
 		## Indicates if the session is in active or passive mode.
 		passive:            bool &default=F;

--- a/scripts/base/protocols/ftp/main.zeek
+++ b/scripts/base/protocols/ftp/main.zeek
@ -165,7 +165,7 @@ function set_ftp_session(c: connection)
 		Conn::register_removal_hook(c, finalize_ftp);

 		# Add a shim command so the server can respond with some init response.
-		add_pending_cmd(c$ftp$pending_commands, "<init>", "");
+		add_pending_cmd(c$ftp$pending_commands, ++c$ftp$command_seq, "<init>", "");
 		}
 	}

@ -270,7 +270,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5

 	# Queue up the new command and argument
 	if ( |c$ftp$pending_commands| < max_pending_commands )
-		add_pending_cmd(c$ftp$pending_commands, command, arg);
+		add_pending_cmd(c$ftp$pending_commands, ++c$ftp$command_seq, command, arg);
 	else
 		Reporter::conn_weird("FTP_too_many_pending_commands", c,
 				     cat(|c$ftp$pending_commands|), "FTP");
--- a/scripts/base/protocols/ftp/utils-commands.zeek
+++ b/scripts/base/protocols/ftp/utils-commands.zeek
@ -78,9 +78,9 @@ export {
 	};
 }

-function add_pending_cmd(pc: PendingCmds, cmd: string, arg: string): CmdArg
+function add_pending_cmd(pc: PendingCmds, seq: count, cmd: string, arg: string): CmdArg
 	{
-	local ca = [$cmd = cmd, $arg = arg, $seq=|pc|+1, $ts=network_time()];
+	local ca = [$cmd = cmd, $arg = arg, $seq=seq, $ts=network_time()];
 	pc[ca$seq] = ca;

 	return ca;
--- a/testing/btest/Baseline/coverage.record-fields/out.default
+++ b/testing/btest/Baseline/coverage.record-fields/out.default
@ -162,6 +162,7 @@ connection {
              * ts: time, log=F, optional=F
             }
        * command: string, log=T, optional=T
+        * command_seq: count, log=F, optional=T
        * cwd: string, log=F, optional=T
        * data_channel: record FTP::ExpectedDataChannel, log=T, optional=T
            FTP::ExpectedDataChannel {