[Bro-Dev] [JIRA] (BIT-250) Binpac wrong boundary check
grigorescu (JIRA)
jira at bro-tracker.atlassian.net
Mon Jun 2 17:05:07 PDT 2014
[ https://bro-tracker.atlassian.net/browse/BIT-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
grigorescu updated BIT-250:
---------------------------
Status: Merge Request (was: Open)
> Binpac wrong boundary check
> ---------------------------
>
> Key: BIT-250
> URL: https://bro-tracker.atlassian.net/browse/BIT-250
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: BinPAC
> Affects Versions: 1.5.2
> Reporter: lorenzo simionato
> Attachments: test.pac
>
>
> I'm trying to create a parser for a simple protocol, described by the following type:
> {noformat}
> type Test_PDU = record {
> header: uint32;
> msg_length: uint32;
> msg_data: uint32;
> } &byteorder=littleendian, &length=msg_length;
> {noformat}
> The code generated by BinPAC, when you compile the attached .pac file is wrong.
> In fact the code generated for the parsing of the message is something like:
> {noformat}
> switch ( buffering_state_ ) {
> case 0:
> ..........
> t_flow_buffer->NewFrame(8, false);
> buffering_state_ = 1;
> ..........
> break;
>
> case 1: {
> buffering_state_ = 2;
> // Checking out-of-bound for "Test_PDU:msg_data"
> if ( (t_begin_of_data + 8) + (4) > t_end_of_data )
> {
> // Handle out-of-bound condition
> throw ExceptionOutOfBound("Test_PDU:msg_data",
> (8) + (4),
> (t_end_of_data) - (t_begin_of_data));
> }
> // Parse "msg_length"
> msg_length_ = FixByteOrder(byteorder(), *((uint32 const *) ((t_begin_of_data + 4))));
> t_flow_buffer->GrowFrame(msg_length());
> }
> break;
> }
> {noformat}
> As you can see at first buffer's length is set to 8, than it will throw an ExceptionOutOfBound because 12>8.
> I've looked into the issue and i think that the problem is in the method:
> bool RecordField::AttemptBoundaryCheck(Output* out_cc, Env* env)
> (pac_record.cc)
> In this method the boundary check for the field "msg_length" leads to the boundary check of the field "msg_type", because
> quoting the comment on the method: "If my next field can check its boundary, then I don't have to check mine, and it will save me a boundary-check."
> As a temporary fix i commented out the "optimization" to check the next field in the AttemptBoundaryCheck method.
> How to fix this issue properly?
--
This message was sent by Atlassian JIRA
(v6.3-OD-06-017#6327)
More information about the bro-dev
mailing list