[Bro] a small patch to binpac
jmzhou.ml at gmail.com
jmzhou.ml at gmail.com
Mon Jun 4 10:44:01 PDT 2007
The problem:
type MyRecord = record {
f1: SomeRecordType;
f2: bytestring &length=body_len;
} &let {
body_len: uint32 = f1.rec_len - sizeof (f1);
};
The above definition looks familiar, uh? It is a simplifed version of
the DCE RPC PDU. If MyRecord is incrementally parsed, the sizeof (f1)
in the &let construct will cause trouble because getFieldBegin and
getFieldEnd can only be used for non-incremental parsed record. If
the size of SomeRecordType is decideable statically (in the case of
DCE RPC, it is), then the patch fixes the problem. Now we can make
the PDU incrementally parsed.
Cheers,
Jimmy
____________________________________________________________
The future is not set. There is no fate but what we make
for ourselves. - Terminator II, Judgment Day
------------------------------------------------------------
-------------- next part --------------
--- bro-1.2.1.orig/src/binpac/pac_record.cc 2007-05-24 13:59:23.000000000 -0700
+++ bro-1.2.1/src/binpac/pac_record.cc 2007-06-04 09:29:17.000000000 -0700
@@ -350,6 +350,13 @@
if ( field_size_expr )
return field_size_expr;
+ int static_size = type_->StaticSize (env);
+ if (static_size >= 0)
+ {
+ field_size_expr = nfmt("%d", static_size);
+ return field_size_expr;
+ }
+
const DataPtr& begin = getFieldBegin(out_cc, env);
const DataPtr& end = getFieldEnd(out_cc, env);
if ( begin.id() == end.id() )
More information about the Bro
mailing list