Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

file_analysis/File: Report overflowing chunks as weird and discard/truncate

Browse source 
This is one level above the Reassembler where we still have information
about the file and source. A weird entry may looks as follows:

    1679759398.237353  ... file_offset_overflow    FXPLGt4SeMmlMKahJc: offset=fffffffffffffff7 len=10      F       zeek    HTTP
This commit is contained in:
Arne Welzel 2023-03-27 15:12:27 +02:00
parent ea80f21e1d
commit fbdc433386
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/file_analysis/File.cc
View file

@ -2,6 +2,7 @@
#include "zeek/file_analysis/File.h" #include "zeek/file_analysis/File.h"
#include <limits>
#include <utility> #include <utility>
#include "zeek/Event.h" #include "zeek/Event.h"
@ -431,6 +432,15 @@ void File::DeliverStream(const u_char* data, uint64_t len)
void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset) void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
{ {
if ( std::numeric_limits<uint64_t>::max() - offset < len )
{
reporter->Weird(this, "file_offset_overflow",
zeek::util::fmt("offset=%" PRIx64 " len=%" PRIx64, offset, len),
GetSource().c_str());
len = std::numeric_limits<uint64_t>::max() - offset;
}
// Potentially handle reassembly and deliver to the stream analyzers. // Potentially handle reassembly and deliver to the stream analyzers.
if ( file_reassembler ) if ( file_reassembler )
{ {