Skip to content

Refactor and update packetbeat DHCP parsers#48414

Merged
fearful-symmetry merged 19 commits intoelastic:mainfrom
fearful-symmetry:packetbeat-parsers-array-checks
Feb 6, 2026
Merged

Refactor and update packetbeat DHCP parsers#48414
fearful-symmetry merged 19 commits intoelastic:mainfrom
fearful-symmetry:packetbeat-parsers-array-checks

Conversation

@fearful-symmetry
Copy link
Contributor

@fearful-symmetry fearful-symmetry commented Jan 13, 2026
edited
Loading

Proposed commit message

This is a rather large PR that completely updates the DHCPv4 parser for a number of reasons:

  1. Numerous portions of the code did not properly handle malformed data, making it easy to craft packets that could crash packetbeat
  2. A lot of the above-mentioned buggy code came from custom logic rendered obsolete by newer versions of the DHCP parsing library we were using.
  3. Our code did not conform to the DHCPv4 spec; some options, such as router allow for multiple address fields, although we only parsed the first field.

Putting this in draft, as there's portions of the code I need to clean up, and I would like to add more tests.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

The router field now returns a list, and not a single address. Returning a single address is technically not in spec, and was a bug.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 13, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Jan 13, 2026

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @fearful-symmetry? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@fearful-symmetry fearful-symmetry marked this pull request as ready for review January 16, 2026 22:01
@fearful-symmetry fearful-symmetry requested review from a team as code owners January 16, 2026 22:01
@pierrehilbert pierrehilbert added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Jan 19, 2026
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 19, 2026
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 19, 2026

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@fearful-symmetry fearful-symmetry added the backport-active-all Automated backport with mergify to all the active branches label Jan 20, 2026
cmacknz
cmacknz approved these changes Feb 2, 2026
View reviewed changes
Copy link
Member

@cmacknz cmacknz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving go.mod changes.

@fearful-symmetry fearful-symmetry merged commit a64fa45 into elastic:main Feb 6, 2026
206 of 207 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Feb 6, 2026

@Mergifyio backport 8.19 9.2 9.3

@mergify
Copy link
Contributor

mergify bot commented Feb 6, 2026
edited
Loading

backport 8.19 9.2 9.3

✅ Backports have been created

Details

Cherry-pick of a64fa45 has failed:

On branch mergify/bp/8.19/pr-48414
Your branch is up to date with 'origin/8.19'.

You are currently cherry-picking commit a64fa457c.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   NOTICE.txt
	new file:   changelog/fragments/1768328474-refactor-dhcpv4-fix-parsing-bugs.yaml
	modified:   packetbeat/decoder/decoder.go
	modified:   packetbeat/protos/dhcpv4/dhcpv4.go
	modified:   packetbeat/protos/dhcpv4/dhcpv4_test.go
	deleted:    packetbeat/protos/dhcpv4/option_ip_address.go
	deleted:    packetbeat/protos/dhcpv4/option_ip_addresses.go
	deleted:    packetbeat/protos/dhcpv4/option_text.go
	modified:   packetbeat/protos/dhcpv4/options.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

mergify bot pushed a commit that referenced this pull request Feb 6, 2026
@fearful-symmetry @mergify
Refactor and update packetbeat DHCP parsers (#48414)
bed98b4 
* working

* fix typo

* format

* add changelog

* cleanup

* still cleaning up

* add tests

* update changelog

* update go files

(cherry picked from commit a64fa45)

# Conflicts:
#	go.mod
#	go.sum
@mergify mergify bot mentioned this pull request Feb 6, 2026
Open
6 tasks
mergify bot pushed a commit that referenced this pull request Feb 6, 2026
@fearful-symmetry @mergify
Refactor and update packetbeat DHCP parsers (#48414)
d059356 
* working

* fix typo

* format

* add changelog

* cleanup

* still cleaning up

* add tests

* update changelog

* update go files

(cherry picked from commit a64fa45)
@mergify mergify bot mentioned this pull request Feb 6, 2026
Open
6 tasks
mergify bot pushed a commit that referenced this pull request Feb 6, 2026
@fearful-symmetry @mergify
Refactor and update packetbeat DHCP parsers (#48414)
56f7f4d 
* working

* fix typo

* format

* add changelog

* cleanup

* still cleaning up

* add tests

* update changelog

* update go files

(cherry picked from commit a64fa45)
@mergify mergify bot mentioned this pull request Feb 6, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmacknz cmacknz cmacknz approved these changes

@nicholasberlin nicholasberlin nicholasberlin approved these changes

Assignees

@fearful-symmetry fearful-symmetry

Labels

backport-active-all Automated backport with mergify to all the active branches Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@fearful-symmetry @elasticmachine @cmacknz @nicholasberlin @pierrehilbert