[Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1

Mark Fernandez (JIRA) jira at bro-tracker.atlassian.net
Mon Nov 2 11:38:00 PST 2015

Mark Fernandez created BIT-1500:

             Summary: BinPAC Call to FlowBuffer::NewFrame with frame_length -1
                 Key: BIT-1500
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1500
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: BinPAC
    Affects Versions: 2.4
            Reporter: Mark Fernandez
         Attachments: test.pac

I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.  The auto-generated C++ code does not parse the chunked data correctly.  I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().  The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.  Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.  This is very frustrating.  Please review and let me know what you think.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list