bifs/parse_eftp: Prevent reporter warnings/errors on invalid input

When passing invalid IPs or an out-of range port to parse_eftp() a warning or error was generated on stderr (in addition to setting the $valid field to F). Prevent the output by adding safe-guarding and using IPAddr::ConvertString() instead.
2025-10-02 06:38:20 +00:00 · 2023-01-16 15:16:29 +01:00 · 2023-01-16 15:16:29 +01:00 · eb09662d48
commit eb09662d48
parent d4a84e7442
3 changed files with 21 additions and 8 deletions
--- a/src/analyzer/protocol/ftp/functions.bif
+++ b/src/analyzer/protocol/ftp/functions.bif
@ -87,12 +87,10 @@ static zeek::ValPtr parse_eftp(const char* line)
 					}

 				std::string s(line, nptr-line); // extract IP address
-				zeek::IPAddr tmp(s);
-				// on error, "tmp" will have all 128 bits zero
-				if ( tmp == addr )
-					good = 0;
-
-				addr = tmp;
+				struct in6_addr result;
+				good = zeek::IPAddr::ConvertString(s.c_str(), &result) ? 1 : 0;
+				if ( good )
+					addr = zeek::IPAddr(result);
 				}

 			line = strchr(line, delimiter);
@ -103,8 +101,13 @@ static zeek::ValPtr parse_eftp(const char* line)
 				port = strtol(line, &next_delim, 10);
 				if ( *next_delim != delimiter )
 					good = 0;
-				}

+				if ( port < 0 || port > 65535 )
+					{
+					port = 0;
+					good = 0;
+					}
+				}
 			}

 		}
--- a/testing/btest/Baseline/bifs.parse_ftp/out
+++ b/testing/btest/Baseline/bifs.parse_ftp/out
@ -2,5 +2,9 @@
 [h=192.168.0.2, p=257/tcp, valid=T]
 [h=192.168.0.2, p=257/tcp, valid=T]
 [h=fe80::12, p=1234/tcp, valid=T]
+[h=::, p=257/tcp, valid=F]
+[h=::, p=1234/tcp, valid=F]
+[h=192.168.0.2, p=0/tcp, valid=F]
+[h=192.168.0.2, p=0/tcp, valid=F]
 [h=192.168.0.2, p=257/tcp, valid=T]
 [h=::, p=1234/tcp, valid=T]
--- a/testing/btest/bifs/parse_ftp.zeek
+++ b/testing/btest/bifs/parse_ftp.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -b %INPUT >out
+# @TEST-EXEC: zeek -b %INPUT >out 2>&1
 # @TEST-EXEC: btest-diff out

 event zeek_init()
@ -9,6 +9,12 @@ event zeek_init()
 	print parse_eftp_port("|1|192.168.0.2|257|");
 	print parse_eftp_port("|2|fe80::12|1234|");

+	print parse_eftp_port("|1|192.168.0.313|257|");
+	print parse_eftp_port("|2|fe80::gg|1234|");
+
+	print parse_eftp_port("|1|192.168.0.2|-1|");
+	print parse_eftp_port("|2|192.168.0.2|131072|");
+
 	print parse_ftp_pasv("227 Entering Passive Mode (192,168,0,2,1,1)");

 	print parse_ftp_epsv("229 Entering Extended Passive Mode (|||1234|)");