[Filebeat] Fix panic in decode_cef when recovering from invalid data #30038
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When recovering from an invalid extension value the escape sequence state was not cleared. This caused the parser to attempt to unescape the next extension which resulted in invalid data or a panic. Fixes elastic#30010
andrewkroh
added
bug
Filebeat
botelastic
bot
added
the
needs_team
|
This pull request doesn't have a |
efd6
approved these changes
Jan 26, 2022
| @@ -97,7 +97,7 @@ func (e *Event) unpack(data string) error { | |||
| fhold; fnext gobble_extension; | |||
| } | |||
| action recover_next_extension { | |||
| extKey, extValueStart, extValueEnd = "", 0, 0 | |||
| extKey, extValueStart, extValueEnd, escapes = "", 0, 0, escapes[:0] | |||
There was a problem hiding this comment.
It would be nice to have these non-ragel state variables have some commentary in the decl above.
There was a problem hiding this comment.
I did a little bit of refactoring to make things slightly more readable. Will you look again please?
Document and encapsulate the non-ragel state variables. ``` $ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta BenchmarkEventUnpack-12 1991 1544 -22.45% benchmark old allocs new allocs delta BenchmarkEventUnpack-12 13 13 +0.00% benchmark old bytes new bytes delta BenchmarkEventUnpack-12 642 642 +0.00% ```
efd6
approved these changes
Jan 26, 2022
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
mergify bot
pushed a commit
that referenced
this pull request
Jan 27, 2022
…30038) * Fix panic in decode_cef when recovering from invalid data When recovering from an invalid extension value the escape sequence state was not cleared. This caused the parser to attempt to unescape the next extension which resulted in invalid data or a panic. Fixes #30010 * Encapsulate non-ragel state Document and encapsulate the non-ragel state variables. ``` $ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta BenchmarkEventUnpack-12 1991 1544 -22.45% benchmark old allocs new allocs delta BenchmarkEventUnpack-12 13 13 +0.00% benchmark old bytes new bytes delta BenchmarkEventUnpack-12 642 642 +0.00% ``` (cherry picked from commit 47b8d02)
mergify bot
pushed a commit
that referenced
this pull request
Jan 27, 2022
…30038) * Fix panic in decode_cef when recovering from invalid data When recovering from an invalid extension value the escape sequence state was not cleared. This caused the parser to attempt to unescape the next extension which resulted in invalid data or a panic. Fixes #30010 * Encapsulate non-ragel state Document and encapsulate the non-ragel state variables. ``` $ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta BenchmarkEventUnpack-12 1991 1544 -22.45% benchmark old allocs new allocs delta BenchmarkEventUnpack-12 13 13 +0.00% benchmark old bytes new bytes delta BenchmarkEventUnpack-12 642 642 +0.00% ``` (cherry picked from commit 47b8d02)
andrewkroh
added a commit
that referenced
this pull request
Jan 27, 2022
…30038) (#30042) * Fix panic in decode_cef when recovering from invalid data When recovering from an invalid extension value the escape sequence state was not cleared. This caused the parser to attempt to unescape the next extension which resulted in invalid data or a panic. Fixes #30010 * Encapsulate non-ragel state Document and encapsulate the non-ragel state variables. ``` $ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta BenchmarkEventUnpack-12 1991 1544 -22.45% benchmark old allocs new allocs delta BenchmarkEventUnpack-12 13 13 +0.00% benchmark old bytes new bytes delta BenchmarkEventUnpack-12 642 642 +0.00% ``` (cherry picked from commit 47b8d02) Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
andrewkroh
added a commit
that referenced
this pull request
Jan 27, 2022
…30038) (#30043) * Fix panic in decode_cef when recovering from invalid data When recovering from an invalid extension value the escape sequence state was not cleared. This caused the parser to attempt to unescape the next extension which resulted in invalid data or a panic. Fixes #30010 * Encapsulate non-ragel state Document and encapsulate the non-ragel state variables. ``` $ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta BenchmarkEventUnpack-12 1991 1544 -22.45% benchmark old allocs new allocs delta BenchmarkEventUnpack-12 13 13 +0.00% benchmark old bytes new bytes delta BenchmarkEventUnpack-12 642 642 +0.00% ``` (cherry picked from commit 47b8d02) Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
yashtewari
pushed a commit
to build-security/beats
that referenced
this pull request
Jan 30, 2022
…lastic#30038) * Fix panic in decode_cef when recovering from invalid data When recovering from an invalid extension value the escape sequence state was not cleared. This caused the parser to attempt to unescape the next extension which resulted in invalid data or a panic. Fixes elastic#30010 * Encapsulate non-ragel state Document and encapsulate the non-ragel state variables. ``` $ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta BenchmarkEventUnpack-12 1991 1544 -22.45% benchmark old allocs new allocs delta BenchmarkEventUnpack-12 13 13 +0.00% benchmark old bytes new bytes delta BenchmarkEventUnpack-12 642 642 +0.00% ```
v1v
added a commit
to v1v/beats
that referenced
this pull request
Jan 31, 2022
…k-version-after-8-0-creation * upstream/master: (69 commits) Update stale config following (elastic#30082) Make include_matches backwards compatible with 7.x config (elastic#30032) [Filebeat] Update handling of elasticsearch server logs (elastic#30018) Remove SSL3 support from libbeat and its documentation. (elastic#30071) Revert "Packaging: rename arm64 suffix to aarch64 in the tar.gz artifacts ONLY (elastic#28813)" (elastic#30083) [libbeat] Add script processor to all beats (elastic#29752) Add fonts to support more different types of characters for multiple languages (elastic#29861) libbeat/reader: Fix messge conversion to beat.Event (elastic#30057) probot[stale]: ignore issues with the tag flaky-test (elastic#30065) [DOCS] Add redirect for GSuite module (elastic#30034) [Automation] Update elastic stack version to 8.1.0-aa69d697 for testing (elastic#30012) Remove msitools install for windows build, using the latest docker image with msitools preinstalled (elastic#30040) filebeat/generator/fields: fix dropped error (elastic#29943) Include the error message with auditd module events (elastic#30009) [Metricbeat] gcp: add firestore metricset (elastic#29918) probot: update stale dates (elastic#29997) Metricbeat enterprise search module: add xpack.enabled support (elastic#29871) x-pack/packetbeat: install Npcap at start-up when required (elastic#29112) [Filebeat] Fix panic in decode_cef when recovering from invalid data (elastic#30038) Correctly fixe how selected packages are defined (elastic#30039) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
When recovering from an invalid extension value the escape sequence state was
not cleared. This caused the parser to attempt to unescape the next extension which
resulted in invalid data or a panic.
Fixes #30010
Why is it important?
The parser could panic.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
Related issues