[Bro-Dev] Hui Lin_Out of Bound Exception from flowunit
Seth Hall
seth at icir.org
Fri Aug 26 10:03:54 PDT 2011
On Aug 26, 2011, at 12:46 PM, Hui Lin wrote:
> 1217561494.208541 weird: binpac exception: out_of_bound: Dnp3_Test:src_addr: 8 > 3
>
> 8 is the size of all data before "rest" the bytestring, and 3 is the size of data "start" and "len". "len" is used to define the &length of this record. It seems that after "len", you can not define extra data, such as "ctrl", "dest_addr" and doing this will generate the above exception. However, if you change the type of all data after "len" into bytestring, then the exception will not happen. But I still want to keep those data as the "uint8". Any suggestion to solve this problem?
It looks like you probably want to do: &length=(8+len)
You also forgot to explain what the "5" is for and it looks like binpac tried to parse 5 bytes too far (8>3). From a more broad perspective, if you have framing around this parse unit (&length applied to a parent unit) it probably makes more sense to define this record like this:
type Dnp3_Test = record {
start: uint16;
len: uint8;
ctrl: uint8;
dest_addr: uint16;
src_addr: uint16;
rest: bytestring &length=len;
} &byteorder = bigendian;
Binpac shouldn't have any problems with that as long as it can calculate the fully parsed record size based on a parent record. (to avoid complaints about incremental parsing)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list