[Bro-Dev] #332: Portmap analyzer segfaults when parsing portmap dump replies
Bro Tracker
bro at tracker.icir.org
Fri Dec 3 07:33:29 PST 2010
#332: Portmap analyzer segfaults when parsing portmap dump replies
--------------------+--------------------
Reporter: gregor | Owner:
Type: Patch | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version: 1.5.2
Keywords: |
--------------------+--------------------
{{{
#!rst
There is a bug in the portmap analyzer that causes a segfault
when parsing portmap dump reply message.
The attached patch fixes the problem.
Should this patch be included in the final 1.5.x release, since it
fixes a segfault?
*Background:*
Note, part of the problem might actually be the way binpac handles
array building, which can be confusing. I'll just put it here for the
record in case somebody else stumbles across something similar.
from portmap-protocol.pac::
type PortmapDumpEntry = record {
cont: uint32;
optmapping: case cont of {
0 -> none: empty;
default -> mapping: PortmapMapping;
};
};
type PortmapDumpResults = PortmapDumpEntry[] &until($element.cont !=
1);
Binpac will parse a PortmapDumpEntry out if the input data, add it to
the PortmapDumpResults[] array, evaluate the until expression and quit
if it is false. However, there is another form of the the until
expression that performs test on the chunk of input, e.g.::
type HTTP_Headers = HTTP_Header[] &until($input.length() == 0);
type MIME_Lines = MIME_Line[]
&until($context.flow.is_end_of_multipart($input));
These until expression with $input are evaluated *before* the next
element is parsed and if it is false, no more elements are parsed.
The behavior makes sense, since it makes sense to perform test on the
input before the input is parsed, and tests on the output after the
output is parsed (However, one could ask, whether elements for which
the until test were false should be added to the array).
}}}
--
Ticket URL: <http://tracker.icir.org/bro/ticket/332>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list