[Bro-Dev] #332: Portmap analyzer segfaults when parsing portmap dump replies

Bro Tracker bro at tracker.icir.org
Fri Dec 3 07:33:29 PST 2010 

#332: Portmap analyzer segfaults when parsing portmap dump replies
--------------------+--------------------
 Reporter:  gregor  |      Owner:
     Type:  Patch   |     Status:  new
 Priority:  Normal  |  Milestone:  Bro1.6
Component:  Bro     |    Version:  1.5.2
 Keywords:          |
--------------------+--------------------
 {{{
 #!rst

 There is a bug in the portmap analyzer that causes a segfault
 when parsing portmap dump reply message.

 The attached patch fixes the problem.

 Should this patch be included in the final 1.5.x release, since it
 fixes a segfault?


 *Background:*

 Note, part of the problem might actually be the way binpac handles
 array building, which can be confusing. I'll just put it here for the
 record in case somebody else stumbles across something similar.

 from portmap-protocol.pac::

     type PortmapDumpEntry = record {
         cont:       uint32;
         optmapping: case cont of {
             0 ->        none: empty;
             default ->  mapping: PortmapMapping;
         };
     };

     type PortmapDumpResults = PortmapDumpEntry[] &until($element.cont !=
 1);

 Binpac will parse a PortmapDumpEntry out if the input data, add it to
 the PortmapDumpResults[] array, evaluate the until expression and quit
 if it is false. However, there is another form of the the until
 expression that performs test on the chunk of input, e.g.::

     type HTTP_Headers = HTTP_Header[] &until($input.length() == 0);
     type MIME_Lines = MIME_Line[]
            &until($context.flow.is_end_of_multipart($input));

 These until expression with $input are evaluated *before* the next
 element is parsed and if it is false, no more elements are parsed.

 The behavior makes sense, since it makes sense to perform test on the
 input before the input is parsed, and tests on the output after the
 output is parsed (However, one could ask, whether elements for which
 the until test were false should be added to the array).
 }}}

-- 
Ticket URL: <http://tracker.icir.org/bro/ticket/332>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list