From f1d69df1652ea61bc140ab2eeb49b6f5557c8f8c Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 12 Aug 2025 10:11:58 -0700
Subject: [PATCH] Pass DNS complete_flag along as a uint8_t instead of a String

---
 src/analyzer/protocol/dns/DNS.cc | 27 +++++++++++++++------------
 src/analyzer/protocol/dns/DNS.h  |  3 ++-
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 9b1cf6acdc..77f2011a90 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -455,6 +455,19 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
     return true;
 }
 
+uint8_t DNS_Interpreter::ExtractByte(const u_char*& data, int& len) {
+    if ( len < 1 )
+        return 0;
+
+    uint8_t val;
+    val = data[0];
+
+    ++data;
+    --len;
+
+    return val;
+}
+
 uint16_t DNS_Interpreter::ExtractShort(const u_char*& data, int& len) {
     if ( len < 2 )
         return 0;
@@ -1331,15 +1344,7 @@ bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, const u_char*& dat
 
     unsigned int keyid = (keyid1 << 8) | keyid2;
 
-    String* completeflag = ExtractStream(data, len, rdlength - 4);
-
-    // We exposed the complete flag as a string to script land previously,
-    // but there should only ever be a single byte, so raise a weird if
-    // it is longer than that.
-    //
-    // https://bind9.readthedocs.io/en/latest/chapter5.html#monitoring-with-private-type-records
-    if ( completeflag->Len() > 1 )
-        analyzer->Weird("DNS_BINDS_complete_flag_length", util::fmt("%d", completeflag->Len()));
+    uint8_t completeflag = ExtractByte(data, len);
 
     if ( dns_BINDS ) {
         detail::BINDS_DATA binds;
@@ -1352,8 +1357,6 @@ bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, const u_char*& dat
                                    msg->BuildBINDS_Val(&binds));
     }
 
-    delete completeflag;
-
     return true;
 }
 
@@ -1914,7 +1917,7 @@ RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds) {
     r->Assign(2, binds->algorithm);
     r->Assign(3, binds->key_id);
     r->Assign(4, binds->removal_flag);
-    r->Assign(5, binds->complete_flag->Len() > 0 ? binds->complete_flag->Bytes()[0] : 0);
+    r->Assign(5, binds->complete_flag);
     r->Assign(6, is_query);
 
     return r;
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index 1e449eacc3..47a8ee1cd2 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -262,7 +262,7 @@ struct BINDS_DATA {
     unsigned short algorithm;    // 8
     unsigned short key_id;       // 16 : ExtractShort(data, len)
     unsigned short removal_flag; // 8
-    String* complete_flag;       // 8
+    uint8_t complete_flag;       // 8
 };
 
 struct LOC_DATA {
@@ -353,6 +353,7 @@ protected:
                         bool downcase = true);
     bool ExtractLabel(const u_char*& data, int& len, u_char*& label, int& label_len, const u_char* msg_start);
 
+    uint8_t ExtractByte(const u_char*& data, int& len);
     uint16_t ExtractShort(const u_char*& data, int& len);
     uint32_t ExtractLong(const u_char*& data, int& len);
     void ExtractOctets(const u_char*& data, int& len, String** p);