Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick to 5.3: Fix handling of empty strings in UTF16BytesToString. #3714

merged 1 commit into from Mar 2, 2017


None yet
2 participants
Copy link

commented Mar 2, 2017

Cherry-pick of PR #3705 to 5.3 branch. Original message:


I encountered a bug while using winlogbeat on Windows Server 2003.
Some events had errors in them:

{'@timestamp': '2017-03-01T08:53:18.000Z',
 '@version': '1',
 'beat': {'hostname': '...', 'name': '..', 'version': '5.2.1'},
 'computer_name': '...',
 'event_id': 540,
 'host': '...',
 'level': 'Audit Success',
 'log_name': 'Security',
 'message_error': 'Slice must have an even length (length=141)',
 'record_number': '1209',
 'source_name': 'Security',
 'tags': ['beats_input_raw_event'],
 'type': 'eventlogging',
 'user': {'...'}}

It seems to be a bug in the UTF16BytesToString function.
The function does not detect empty strings correctly (due to an off-by-one check on the return value of indexNullTerminator), and it creates a misaligned offset in the buffer.

I added a test and fixed it.

For completeness, this is an example of a 'bad' record I had (encoded in hex):

Fix handling of empty strings in UTF16BytesToString. (#3705)
* Fix handling of empty strings in UTF16BytesToString.

(cherry picked from commit 65b9385)

@andrewkroh andrewkroh merged commit 65e5005 into elastic:5.3 Mar 2, 2017

4 checks passed

CLA Commit author has signed the CLA
continuous-integration/appveyor/pr AppVeyor build succeeded
continuous-integration/travis-ci/pr The Travis CI build passed
default Build finished.

@andrewkroh andrewkroh deleted the andrewkroh:backport_3705_5.3 branch Jul 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.