parser: Fix EXECVE for very long commmand lines

argv can be longer than 2^16 elements. Because the number part couldn't be parsed, those arguments would presumably be turned into regular keys. Changing the value from u16 to u32 fixes this. The fallback function for regular key/value pairs is removed.
threathunters-io · Dec 27, 2023 · 7b03ca6 · 7b03ca6
1 parent 6799293
commit 7b03ca6
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/src/parser.rs b/src/parser.rs
@@ -233,10 +233,14 @@ fn parse_body(
 fn parse_kv(input: &[u8], ty: MessageType) -> IResult<&[u8], (Key, PValue)> {
     let (input, key) = match ty {
         // Special case for execve arguments: aX, aX[Y], aX_len
-        msg_type::EXECVE if !input.is_empty() && input[0] == b'a' => terminated(
-            alt((parse_key_a_x_len, parse_key_a_xy, parse_key_a_x, parse_key)),
-            tag("="),
-        )(input),
+        msg_type::EXECVE
+            if !input.is_empty() && input[0] == b'a' && !input.starts_with(b"argc") =>
+        {
+            terminated(
+                alt((parse_key_a_x_len, parse_key_a_xy, parse_key_a_x)),
+                tag("="),
+            )(input)
+        }
         // Special case for syscall params: aX
         msg_type::SYSCALL => terminated(alt((parse_key_a_x, parse_key)), tag("="))(input),
         _ => terminated(parse_key, tag("="))(input),
@@ -490,15 +494,15 @@ fn parse_key(input: &[u8]) -> IResult<&[u8], Key> {
 /// Recognize length specifier for EXECVE split arguments, e.g. a1_len
 #[inline(always)]
 fn parse_key_a_x_len(input: &[u8]) -> IResult<&[u8], Key> {
-    map(delimited(tag("a"), dec_u16, tag("_len")), Key::ArgLen)(input)
+    map(delimited(tag("a"), dec_u32, tag("_len")), Key::ArgLen)(input)
 }
 
 /// Recognize EXECVE split arguments, e.g. a1[3]
 #[inline(always)]
 fn parse_key_a_xy(input: &[u8]) -> IResult<&[u8], Key> {
     map(
         pair(
-            preceded(tag("a"), dec_u16),
+            preceded(tag("a"), dec_u32),
             delimited(tag("["), dec_u16, tag("]")),
         ),
         |(x, y)| Key::Arg(x, Some(y)),
@@ -508,7 +512,7 @@ fn parse_key_a_xy(input: &[u8]) -> IResult<&[u8], Key> {
 /// Recognize SYSCALL, EXECVE regular argument keys, e.g. a1, a2, a3…
 #[inline(always)]
 fn parse_key_a_x(input: &[u8]) -> IResult<&[u8], Key> {
-    map(preceded(tag("a"), u16), |x| Key::Arg(x, None))(input)
+    map(preceded(tag("a"), u32), |x| Key::Arg(x, None))(input)
 }
 
 /// Recognize identifiers (used in some irregular messages)

diff --git a/src/types.rs b/src/types.rs
@@ -261,9 +261,9 @@ pub enum Key {
     /// translated / "enriched" values
     NameTranslated(NVec),
     /// `a0`, `a1`, `a2[0]`, `a2[1]`…
-    Arg(u16, Option<u16>),
+    Arg(u32, Option<u16>),
     /// `a0_len` …
-    ArgLen(u16),
+    ArgLen(u32),
     Literal(&'static str),
 }