infinite loop in main.zeek gquic_hello event handler (zeek 3.1.5)

[bv3]

Zeek 3.1.5 workers are unresponsive as soon as they see a gquic hello packet, and can only be terminated with a kill -9 command. The cyu fingerprint construction loop in main.zeek never ends. Inserting a print statement at the top of the first gquic_hello event handler prints a 19-digit (decimal) value for the HeIn$tag variable that provides the loop exit condition.

Command line zeek output from print_raw(fmt("\nHeIn$tag = %d\n\n", HeIn$tag)); at line 46 in main.zeek:

$ zeek -C -r Q046.pcap

HeIn$tag = 4624633867356078080

^Z
[1]+  Stopped                 zeek -C -r Q046.pcap
$ kill -9 %1
[1]+  Killed                  zeek -C -r Q046.pcap
$ 

It turns out that Zeek 3.1.x removed all numeric constructors from the Val class except Val(double, TypeTag). Now, new Val objects constructed from an unsigned integer convert it to double and store it in a union on the plugin side, which is later retrieved as an unsigned integer on the script side. The easiest fix is to call new ValManager methods to get preallocated numeric Val objects by replacing all new Val(...) with val_mgr->Get...().

Please see the following branch in our fork, which includes the above plus a couple other commits for building the plugin under Zeek 3.1.5: https://github.com/bluvectorcyber/GQUIC_Protocol_Analyzer/commits/updates-for-zeek-3.1.5

Also, there's a new corelight/zeek-quic plugin that merged similar changes before adding support for Zeek 3.2.x: https://github.com/corelight/zeek-quic/commits/master

[mmguero]

FWIW salesforce/GQUIC_Protocol_Analyzer#14 has been pulled now bringing this plugin up to date for zeek v4.1, so this may not be an issue any more.