Othe than the CheckString function, how to return a whole complete raw string that may embed NUL characters in a bif function?


In the demo plugin provided by the zeek doc, it implements a rot13 function, which uses the CheckString() function to return a string from zeek script for further process, as I quote here:

function rot13%(s: string%) : string
    char* rot13 = util::copy_string(s->CheckString());
    zeek::String* zs = new zeek::String(1, reinterpret_cast<byte_vec>(rot13), strlen(rot13));
    return make_intrusive<StringVal>(zs);

A zeek script can call this rot13 function, and pass a string s as an argument. The function will first return the s to a c string, and copy it to the rot13 pointer.

The function works well on normal strings, but when I pass a raw string that embed NUL characters, it throw errors as:

$ zeek -e 'print Demo::rot13("\x00*\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03www\x04gsta\x03com\x00\x00\x01\x00\x01")'
error in <command line>, line 3: string with embedded NUL: "\x00*\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03www\x04gsta\x03com\x00\x00\x01\x00\x01"
fatal error in <command line>, line 3: errors occurred while initializing

This particular kind of errors actually is explained in the comments of the CheckString() function, as I quote:

 * Returns a character-string representation of the stored bytes. This
 * method doesn't do any extra rendering or character conversions. If
 * null characters are found in the middle of the data or if the data
 * is missing a closing null character, an error string is returned and
 * a error is reported.
 const char* CheckString() const;

However, what if I want to process a raw string that may contain NUL characters, is there any alternative function I can use other than the CheckString?

For example, the event tcp_contents specifies a contents argument which is the raw payload of a tcp session, which may contain special characters such as NUL. And if I try to pass it to a bif function, similar to the rot13 function, what’s the appropriate method to pre-process it to a c string (including the whole complete raw string) and copy to a char pointer?

It seems there is no further instructions in the zeek doc, and I haven’t found any alternative function in the ZeekString.h that is suitable for this purpose.

Thank you!

You can use ZeekString::Bytes() and ZeekString::Len():

The decode_base64() bif is where it is used in Base64.cc:

Hope that helps,

Thank you so much for your help, I’ll give it a try.

The functions works, so Bytes() and Len() are appropriate functions to process raw bytes. Thanks again!