I’d try reworking this, so that you have lenAB, and then another record for the rest of the data, and just setting the length of that record to lenAB. Does that work?
—Vlad On Wed, Mar 6, 2019 at 08:17 Song <[email protected]> wrote: > Hi, > > I'm writing a BinPac flowunit analyzer, a PDU is like below: > > type test_pdu = record { > lenAB : uint32; # length of rest of data > lenA : uint16; # length of dataA > dataA : bytestring &length = lenA; > dataB : bytestring &length = (lenAB - 2 - lenA); > } &byteorder=bigendian &length=(lenAB + 4); > > There are 2 problems: > > 1. binpac failed to compile (cannot handle incremental input) if I remove > &length=(lenAB - 2 -lenA), although the overall length of the PDU can be > calculated using the 4 field length > > 2. the generated parser seems to check out-of-bound of lenA field too > early: > > 1577 bool test_pdu::ParseBuffer(flow_buffer_t t_flow_buffer) > 1578 { > 1579 bool t_val_parsing_complete; > 1580 t_val_parsing_complete = false; > 1581 const_byteptr t_begin_of_data = t_flow_buffer->begin(); > 1582 const_byteptr t_end_of_data = t_flow_buffer->end(); > 1583 switch ( buffering_state_ ) > 1584 { > 1585 case 0: > 1586 if ( buffering_state_ == 0 ) > 1587 { > 1588 t_flow_buffer->NewFrame(4, false); > 1589 buffering_state_ = 1; > 1590 } > 1591 buffering_state_ = 1; > 1592 break; > 1593 case 1: > 1594 { > 1595 buffering_state_ = 2; > 1596 // Checking out-of-bound for "test_pdu:lenA" > 1597 if ( (t_begin_of_data + 4) + (2) > t_end_of_data || > (t_begin_of_data + 4) + (2) < (t_begin_of_data + 4) ) > 1598 { > 1599 // Handle out-of-bound condition > 1600 throw binpac::ExceptionOutOfBound("test_pdu:lenA", > 1601 (4) + (2), > 1602 (t_end_of_data) - (t_begin_of_data)); > 1603 } > 1604 // Parse "lenAB" > 1605 lenAB_ = FixByteOrder(byteorder(), *((uint32 const *) > (t_begin_of_data))); > 1606 // Evaluate 'let' and 'withinput' fields > 1607 t_flow_buffer->GrowFrame( ( lenAB() + 4 ) ); > 1608 } > 1609 break; > > Since we only make a new frame of length 4 in line #1588 (the flow buffer > will not grow to full size until line #1607), the test in line #1597 will > be evaluated to true and the parsing will fail. > > What did I missed? Thanks in advance. > > Best regards, > Song > > _______________________________________________ > zeek-dev mailing list > [email protected] > http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev >
_______________________________________________ zeek-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
