mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 02:28:21 +00:00
995368e68c
This changes many weird names to move non-static content from the weird name into the "addl" field to help ensure the total number of weird names is reasonably bounded. Note the net_weird and flow_weird events do not have an "addl" parameter, so information may no longer be available in those cases -- to make it available again we'd need to either (1) define new events that contain such a parameter, or (2) change net_weird/flow_weird event signature (which is a breaking change for user-code at the moment). Also, the generic handling of binpac exceptions for analyzers which to not otherwise catch and handle them has been changed from a Weird to a ProtocolViolation. Finally, a new "file_weird" event has been added for reporting weirdness found during file analysis.
14 lines
673 B
Text
14 lines
673 B
Text
# The parser generated by BinPAC needs to handle this pcap without crashing
|
|
# or asserting. Specifically, pasing Function Code 23,
|
|
# ReadWriteMultipleRegistersRequest, has a field:
|
|
#
|
|
# uint16[write_quantity] &length=write_byte_count;
|
|
#
|
|
# And the pcap has mismatching values for those quantities.
|
|
# The use of &length on arrays previously caused array elements to
|
|
# be treated as already having a bounds check in the parsing-loop, which
|
|
# is problematic in the case where (write_quantity * 2) > write_byte_count
|
|
# as that can cause reading from a location that exceeds the end of the
|
|
# data buffer.
|
|
|
|
# @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
|