From fc78b14cd7795800bb2f96429d59f730a0aaf96e Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 3 May 2023 10:34:23 -0700
Subject: [PATCH] Add length checking to ToRawPktHdrVal for truncated packets

---
 src/iosource/Packet.cc                             | 14 ++++++++++++--
 .../btest/Baseline/core.raw-truncation/weird.log   | 11 +++++++++++
 testing/btest/core/raw-truncation.zeek             | 11 +++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/core.raw-truncation/weird.log
 create mode 100644 testing/btest/core/raw-truncation.zeek

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 0a17a78968..cd3aa4fb5d 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -117,8 +117,18 @@ RecordValPtr Packet::ToRawPktHdrVal() const
 		// Ethernet header layout is:
 		//    dst[6bytes] src[6bytes] ethertype[2bytes]...
 		l2_hdr->Assign(0, BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_ETHERNET));
-		l2_hdr->Assign(3, FmtEUI48(data + 6)); // src
-		l2_hdr->Assign(4, FmtEUI48(data)); // dst
+
+		// FmtEUI48 needs at least 6 bytes to print out the mac address, plus 6 bytes for
+		// skipping over the destination address.
+		if ( cap_len >= 12 )
+			l2_hdr->Assign(3, FmtEUI48(data + 6)); // src
+		else
+			l2_hdr->Assign(3, "00:00:00:00:00:00");
+
+		if ( cap_len >= 6 )
+			l2_hdr->Assign(4, FmtEUI48(data)); // dst
+		else
+			l2_hdr->Assign(4, "00:00:00:00:00:00");
 
 		if ( vlan )
 			l2_hdr->Assign(5, vlan);
diff --git a/testing/btest/Baseline/core.raw-truncation/weird.log b/testing/btest/Baseline/core.raw-truncation/weird.log
new file mode 100644
index 0000000000..92120b6cc6
--- /dev/null
+++ b/testing/btest/Baseline/core.raw-truncation/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_ethernet_frame	-	F	zeek	ETHERNET
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/core/raw-truncation.zeek b/testing/btest/core/raw-truncation.zeek
new file mode 100644
index 0000000000..0b6f61f60b
--- /dev/null
+++ b/testing/btest/core/raw-truncation.zeek
@@ -0,0 +1,11 @@
+# @TEST-DOC: Test that raw_packet works correctly with a truncated packet
+# @TEST-EXEC: zeek -r $TRACES/trunc/trunc-hdr.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
+event raw_packet(p: raw_pkt_hdr) {
+        if ( ! p?$ip )
+                return;
+
+        if ( p$ip$hl != 20 )
+                print p$ip;
+}
\ No newline at end of file