Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 12:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/src/FOO.cc
Robin Sommer 9b0d525728
Let our TCP-based application analyzers operate without any TCP parent analyzer. 
Conceptually, a TCP-based application analyzer should not need any
knowledge about the underlying TCP analysis; it's supposed to just
process its reassembled input stream as it's handed over. But our
analyzers break that assumption at a few places because sometimes
knowledge about the TCP state of the connection can be helpful for
heuristics. This is fine as long as there actually *is* a TCP parent
analyzer available. Sometimes, however, there isn't: if the payload
stream is encapsulated inside another application-layer protocol, the
semantic link to TCP is broken. And if the outer connection is even
UDP, then we don't have a TCP analyzer at all.

We didn't handle this situation well so far. Most analyzers needing
TCP state would just crash if there's no TCP analyzer (in debug mode
with an `assert`, in release mode with a null pointer deref ...). Only
HTTP did the right thing already: check if TCP is available and adapt
accordingly.

We know extend that check to all other analyzers as well: all accesses
to `TCP()` are guarded, with reasonable defaults if not available.
It's actually a pretty small change overall, which is evidence for how
little this layering violation actually matters.

The existing behavior is what's causing
https://github.com/corelight/zeek-spicy-openvpn/issues/3.
2022-01-28 16:25:27 +01:00

65 lines
1.4 KiB
C++
Raw Blame History

#include "FOO.h"
#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
#include "zeek/Reporter.h"
#include "foo.bif.h"
using namespace btest::analyzer::FOO;
using namespace zeek::analyzer;
FOO_Analyzer::FOO_Analyzer(zeek::Connection* c) : tcp::TCP_ApplicationAnalyzer("FOO", c)
{
interp = new binpac::FOO::FOO_Conn(this);
had_gap = false;
}
FOO_Analyzer::~FOO_Analyzer()
{
delete interp;
}
void FOO_Analyzer::Done()
{
tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
}
void FOO_Analyzer::EndpointEOF(bool is_orig)
{
tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
void FOO_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( TCP() && TCP()->IsPartial() )
return;
if ( had_gap )
// If only one side had a content gap, we could still try to
// deliver data to the other side if the script layer can handle this.
return;
try
{
interp->NewData(orig, data, data + len);
}
catch ( const binpac::Exception& e )
{
printf("Exception: %s\n", e.c_msg());
ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
}
}
void FOO_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
{
tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
had_gap = true;
interp->NewGap(orig, len);
}
Reference in a new issue View git blame Copy permalink