[Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1

Mark Fernandez (JIRA) jira at bro-tracker.atlassian.net
Mon Nov 23 08:34:00 PST 2015


     [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mark Fernandez updated BIT-1500:
--------------------------------
    Resolution: Solved
        Status: Closed  (was: Open)

Mr. Grigorescu's recommendation was sufficient to solve the problem.  Thank you.

> BinPAC Call to FlowBuffer::NewFrame with frame_length -1
> --------------------------------------------------------
>
>                 Key: BIT-1500
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1500
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: BinPAC
>    Affects Versions: 2.4
>            Reporter: Mark Fernandez
>              Labels: analyzer
>         Attachments: test.pac
>
>
> I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.  The auto-generated C++ code does not parse the chunked data correctly.  I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().  The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.  Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.  This is very frustrating.  Please review and let me know what you think.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-01-053#71000)



More information about the bro-dev mailing list