[Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1
Vlad Grigorescu (JIRA)
jira at bro-tracker.atlassian.net
Mon Nov 23 08:35:00 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23002#comment-23002 ]
Vlad Grigorescu commented on BIT-1500:
--------------------------------------
I'd like to revisit this and see if we can get the issue fixed, so you don't have to do the workaround.
> BinPAC Call to FlowBuffer::NewFrame with frame_length -1
> --------------------------------------------------------
>
> Key: BIT-1500
> URL: https://bro-tracker.atlassian.net/browse/BIT-1500
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: BinPAC
> Affects Versions: 2.4
> Reporter: Mark Fernandez
> Labels: analyzer
> Attachments: test.pac
>
>
> I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data. The auto-generated C++ code does not parse the chunked data correctly. I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready(). The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false. Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data. This is very frustrating. Please review and let me know what you think.
--
This message was sent by Atlassian JIRA
(v7.1.0-OD-01-053#71000)
More information about the bro-dev
mailing list