Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Pass DNS complete_flag along as a uint8_t instead of a String

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-08-12 10:11:58 -07:00
parent 73c9a1f3d9
commit f1d69df165
2 changed files with 17 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

27
src/analyzer/protocol/dns/DNS.cc
View file

@ -455,6 +455,19 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
return true; return true;
} }
uint8_t DNS_Interpreter::ExtractByte(const u_char*& data, int& len) {
if ( len < 1 )
return 0;
uint8_t val;
val = data[0];
++data;
--len;
return val;
}
uint16_t DNS_Interpreter::ExtractShort(const u_char*& data, int& len) { uint16_t DNS_Interpreter::ExtractShort(const u_char*& data, int& len) {
if ( len < 2 ) if ( len < 2 )
return 0; return 0;
@ -1331,15 +1344,7 @@ bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, const u_char*& dat
unsigned int keyid = (keyid1 << 8) | keyid2; unsigned int keyid = (keyid1 << 8) | keyid2;
String* completeflag = ExtractStream(data, len, rdlength - 4); uint8_t completeflag = ExtractByte(data, len);
// We exposed the complete flag as a string to script land previously,
// but there should only ever be a single byte, so raise a weird if
// it is longer than that.
//
// https://bind9.readthedocs.io/en/latest/chapter5.html#monitoring-with-private-type-records
if ( completeflag->Len() > 1 )
analyzer->Weird("DNS_BINDS_complete_flag_length", util::fmt("%d", completeflag->Len()));
if ( dns_BINDS ) { if ( dns_BINDS ) {
detail::BINDS_DATA binds; detail::BINDS_DATA binds;
@ -1352,8 +1357,6 @@ bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, const u_char*& dat
msg->BuildBINDS_Val(&binds)); msg->BuildBINDS_Val(&binds));
} }
delete completeflag;
return true; return true;
} }
@ -1914,7 +1917,7 @@ RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds) {
r->Assign(2, binds->algorithm); r->Assign(2, binds->algorithm);
r->Assign(3, binds->key_id); r->Assign(3, binds->key_id);
r->Assign(4, binds->removal_flag); r->Assign(4, binds->removal_flag);
r->Assign(5, binds->complete_flag->Len() > 0 ? binds->complete_flag->Bytes()[0] : 0); r->Assign(5, binds->complete_flag);
r->Assign(6, is_query); r->Assign(6, is_query);
return r; return r;

3
src/analyzer/protocol/dns/DNS.h
View file

@ -262,7 +262,7 @@ struct BINDS_DATA {
unsigned short algorithm; // 8 unsigned short algorithm; // 8
unsigned short key_id; // 16 : ExtractShort(data, len) unsigned short key_id; // 16 : ExtractShort(data, len)
unsigned short removal_flag; // 8 unsigned short removal_flag; // 8
String* complete_flag; // 8 uint8_t complete_flag; // 8
}; };
struct LOC_DATA { struct LOC_DATA {
@ -353,6 +353,7 @@ protected:
bool downcase = true); bool downcase = true);
bool ExtractLabel(const u_char*& data, int& len, u_char*& label, int& label_len, const u_char* msg_start); bool ExtractLabel(const u_char*& data, int& len, u_char*& label, int& label_len, const u_char* msg_start);
uint8_t ExtractByte(const u_char*& data, int& len);
uint16_t ExtractShort(const u_char*& data, int& len); uint16_t ExtractShort(const u_char*& data, int& len);
uint32_t ExtractLong(const u_char*& data, int& len); uint32_t ExtractLong(const u_char*& data, int& len);
void ExtractOctets(const u_char*& data, int& len, String** p); void ExtractOctets(const u_char*& data, int& len, String** p);