[Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1

Mark Fernandez (JIRA) jira at bro-tracker.atlassian.net
Mon Nov 23 08:34:00 PST 2015

     [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mark Fernandez updated BIT-1500:
    Resolution: Solved
        Status: Closed  (was: Open)

Mr. Grigorescu's recommendation was sufficient to solve the problem.  Thank you.

> BinPAC Call to FlowBuffer::NewFrame with frame_length -1
> --------------------------------------------------------
>                 Key: BIT-1500
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1500
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: BinPAC
>    Affects Versions: 2.4
>            Reporter: Mark Fernandez
>              Labels: analyzer
>         Attachments: test.pac
> I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.  The auto-generated C++ code does not parse the chunked data correctly.  I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().  The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.  Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.  This is very frustrating.  Please review and let me know what you think.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list