OSS-Fuzz found that providing an invalid BDAT line would tickle an
assert in UpdateState(). The BDAT state was never initialized, but
within UpdateState() that was expected.
This also removes the AnalyzerViolation() call for bad BDAT commands
and instead raises a weird. The SMTP analyzer is very lax and not triggering
the violation allows to parse the server's response to such an invalid
command.
PCAP files produced by a custom Python SMTP client against Postfix.
* origin/topic/vern/script-opt-maint.Jan24:
ZAM speedup for constructing empty vectors
fixes for ZAM optimization of "switch" statements
BTests to catch regressions for recent ZAM fixes
"-a zam" BTest baseline update for recent changes
fix for needing to always flush optimization information for identifiers
fix for logic bug in ldap base script
better name for key variable in script optimization
ZAM fix for tracking variable usage
ZAM fixes for "for" loops that are only used to choose an element from a table/set
ZAM fixes for loops indexed with variables not used in the loop body
fix for ZAM location tracking - more extensive changes are pending
fixes for ZAM's special-casing of that "cat" BiF
some fixes for ZAM memory management
streamlining of some script optimization APIs
fixes for initializations of "-O gen-C++" script compilations
script optimization fixes for "concretizing" vector-of-any's
* origin/topic/christian/mmdb-configurability:
Modernize various C++/Zeek-isms in the MMDB code.
Fix MMDB code to re-open explicitly opened DBs correctly
Add btest to verify behavior of re-opened MMDBs opened directly via BIFs
Simplify MMDB code by moving more lookup functionality into MMDB class
Move MMDB logic out of mmdb.bif and into MMDB.cc/h.
Fix mmdb.temporary-error testcase when MMDBs are installed on system
Adapt MMDB BiF code to new script-layer variables
Update btest baselines to reflect introduction of mmdb.bif
Move MaxMind/GeoIP BiF functionality into separate file
Provide script-level configurability of MaxMind DB placement on disk
Sort toplevel .bif list in CMakeLists
ssl-log-ext had a bug that caused data present in the SSL connection to
not be logged in some cases. Specifically, the script relied on the base
ssl script to initialize some data structures; however, this means that
protocol messages that arrive before a message is handled by the base
ssl script are not logged.
This commit changes the ssl-log-ext script to also initialize the data
structures; now messages are correctly included in the log in all cases.
* origin/topic/awelzel/3439-bump-tunnel-max-depth:
NEWS: Update news for tunnel depth changes
tunnels: Add 'X' to history when reaching Tunnel::max_depth
Session/TCP/UDP: Reserve HIST_UNKNOWN_PKT mask
Conn: Deprecated AppendAddl
Conn/Session: Lift history logic into Session
init-bare: Default Tunnel::max_depth to 4
This is meant to be used for a new 'X' code in the history in scenarios when
packets are knowingly not processed or an unexpected unknown situation
is recognized.
Usually, these situations are currently reported via weirds or analyzer violations,
but being able to include it in the history field allows them to be more visible.
Will be used for exceeding tunnel depths first.
This should allow to mangle a Session's history also from packet
analyzers without necessarily knowing the concrete connection type.
Given Connection is a subclass of Session, I don't think this
changes much.
In AWS GLB environments, the max_depth of 2 is easily reached due to packets
being encapsulated with GENEVE and VXLAN [1]. Any additional encapsulation
layer causes Zeek raise a weird and ignore the inner traffic. Bump the default
maximum depth to 4, while not common it's not unusual either to observe
this in the wild.
[1] https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-packet-formats.htmlCloses#3439
The filename from which a DB first gets opened (either via an explicitly
specified filename, or via the path sequence now configurable at the script
layer) is now "sticky", meaning re-opening won't switch to a different file.
This was easiest by moving most state into the MMDB class itself. The previous
approach of tracking the two DB instances via a smart pointer and blowing the
pointed-to objects away as needed is now instead one of two objects fixed over
the lifetime of Zeek, able to open/close/reopen their underlying Maxmind DBs.
The MMDB class now only has one Lookup() method since there was no need to break
them apart -- it saves the return of a MMDB_lookup_result_s over the stack and
there's no need for throwing an exception.
The mmdb_open_location_db() and mmdb_open_asn_db() BiFs were untested, and Zeek
has a bug that makes any DBs opened that way fall back to looking up DBs via the
existing script-level config mechanism (via mmdb_dir), which is at least
unexpected and might well be unconfigured if somebody uses the direct BiFs.
