Since the function was never used to check for anything other than
equality, I've changed it to return a bool, otherwise the changes to
its implementation are based on a patch submitted by Jeffrey Bencteux:
Function was comparing two strings based on the length of a user
provided string which could lead to evasions. Any prefix of the static
string could pass conditions where strcasecmp_n was used. Comparison
is now based on the static string length and lengths are checked
before calling strncasecmp.
According to RFC 7230, Transfer-Encoding was added in HTTP/1.1. Such a
header in a HTTP/1.0 message should be ignored. Interpreting it can be
harmful when sending a HTTP/1.0 message because the parser would
indefinitely wait for a chunk size instead of parsing the message's
body as non-chunked, leading to a HTTP content evasion.
In the case where no Content-Length header is seen, the content_length
value still should be set based upon the range (same as it would
have been before the patch).
Partial content bytes range length value and content length value
should not be stored in the same variable. An attacker could override
a given Content-Length or Content-Range with a smaller value to
evade HTTP content.
RFC 7230 section 4.2.3 states that:
"A recipient SHOULD consider 'x-gzip' to be equivalent to 'gzip'"
This could lead to evasions as an attacker could use:
Content-Encoding: x-gzip
To bypass Bro's decompression.
* 'patch-1' of https://github.com/assafmo/bro:
dump_packet & dump_current_packet better detect which file is being dumped to
Fix dump_packet & dump_current_packet ignores file_name
* origin/topic/dnthayer/test-improvements:
Fix the ip-broken-header.bro test on macOS
Improve reliability of the logging rotate.bro test
Improve reliability of missing-file-initially.bro test
BIT-1929 #merged
* origin/topic/seth/dhcp-update:
Rework to the DHCP analyzer.
First step of DHCP analyzer rearchitecture.
Add .btest scripts for dhck_ack and dhcp_discover messages verifying that new options are correctly reported in dhcp.log records.
Extend DHCP protocol analyzer with new options.
BIT-1924 #merged
Additional changes:
* Removed known-hosts.bro as the only thing populating its table was
the already-removed known-hosts-and-devices.bro. So a
known_devices.log will no longer be generated.
* In dhcp-options.pac, the process_relay_agent_inf_option had a memleak
and also process_auto_proxy_config_option looked like it accessed one
byte past the end of the available bytestring, so fixed those.
It turns out that --with-openssl does not currently work because even
when the correct library is chosen, the include path ordering will
(typically) cause the system OpenSSL to be included.
Push OpenSSL header directory as the highest priority one. This probably
also makes sense since OpenSSL is/will be one of the most common
libraries that needs specific include directories.
* Add --toolchain= configure option
* Add --with-bifcl= configure option
* Change --with-binpac= configure option to mean "path to binpac
executable"
* Add an example of how to use the above options for cross compiling
Bro to the docs
* origin/topic/jsiwek/bit-1914:
BIT-1914: comment out &check usages now that they emit warnings
Convert some BinPAC &check expressions to &enforce
Update &check'd fields in various protocol parsers
BIT-1914 #merged
Removed duplicated entries (`000001a0-0000-0000-c000-000000000046`, with `i=3, i=4`) and related comments line
This change should make this file more readable and it will be easier to convert it to other formats (personally I found it out while I was trying to convert this to a JavaScript structure).
Occasionally a few lines in the first part of the output file were
not in the expected order (this seems to be caused by each line in the
output being created by a process that is run in the background but
bro doesn't wait for it to finish). Fixed by sorting the output.
This test has failed numerous times on Travis CI. Fixes to make this
test more reliable: create the does-not-exist.dat file atomically, and
increase wait time after starting bro in order to give all input
streams a chance to try to read the input file.
Also added the input stream name to the test output, in order to make
output easier to understand if the test fails again.
On Travis CI, btest was using 32 threads when running with "-j". Reducing
this to "-j 4" seems to make the tests run a bit faster overall and
somewhat reduces the number of test failures.
* The altered Modbus checks seemed overly strict -- the pcap used
for the unit test at least had quantities/byte_count fields of
zero, to which the server responds with an error (expected).
* Most of the altered DNP3 checks seemed overly strict and caused
the unit tests to fail. The one that was just wrong was the
'start' field in header blocks.
* Removed the "start" parameter of the dnp3_header_block event
since it's always the same value.
* The SMB check failed to compile and I don't know what it intended
to do, so removed.
The test could fail on the order of 100s of iterations, so I bumped to
desired accuracy to actually check for results that are outside the
error margin.
* origin/topic/seth/smb-pending-fix:
Updating the defined SMB2 dialects to match Microsofts current docs.
On rare occasions the server doesn't return the tree id on read responses.
Fix an issue with pending commands.
BIT-1862 #merged
* 'Reporter/MessageFix' of https://github.com/catenacyber/bro:
Better reporter for Brostring with embedded NUL
I slightly changed the code for beautification purposes and added a
testcase. No functional changes.
