infinite loop in main.zeek gquic_hello event handler (zeek 3.1.5)
bv3 opened this issue · 1 comments
Zeek 3.1.5 workers are unresponsive as soon as they see a gquic hello packet, and can only be terminated with a kill -9
command. The cyu fingerprint construction loop in main.zeek never ends. Inserting a print statement at the top of the first gquic_hello event handler prints a 19-digit (decimal) value for the HeIn$tag
variable that provides the loop exit condition.
Command line zeek output from print_raw(fmt("\nHeIn$tag = %d\n\n", HeIn$tag));
at line 46 in main.zeek:
$ zeek -C -r Q046.pcap
HeIn$tag = 4624633867356078080
^Z
[1]+ Stopped zeek -C -r Q046.pcap
$ kill -9 %1
[1]+ Killed zeek -C -r Q046.pcap
$
It turns out that Zeek 3.1.x removed all numeric constructors from the Val class except Val(double, TypeTag)
. Now, new Val objects constructed from an unsigned integer convert it to double and store it in a union on the plugin side, which is later retrieved as an unsigned integer on the script side. The easiest fix is to call new ValManager methods to get preallocated numeric Val objects by replacing all new Val(...)
with val_mgr->Get...()
.
Please see the following branch in our fork, which includes the above plus a couple other commits for building the plugin under Zeek 3.1.5: https://github.com/bluvectorcyber/GQUIC_Protocol_Analyzer/commits/updates-for-zeek-3.1.5
Also, there's a new corelight/zeek-quic plugin that merged similar changes before adding support for Zeek 3.2.x: https://github.com/corelight/zeek-quic/commits/master