websocket: Fix crash for fragmented messages

The &transient attribute does not work well with $element as that won't
be available within &until anymore apparently.

Found after a few seconds building out the fuzzer.

src/analyzer/protocol/websocket/websocket-protocol.pac

@@ -80,7 +80,7 @@ type WebSocket_Message = record {
 	first_frame: WebSocket_Frame(true, this);
 	optional_more_frames: case first_frame.hdr.b.fin of {
 		true -> no_more_frames: empty;
-		false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin) &transient;
+		false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin);
 	};
 } &let {
 	opcode = first_frame.hdr.b.opcode;

testing/btest/Baseline/scripts.base.protocols.websocket.events/out

@@ -89,3 +89,40 @@ websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_le
 websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
+message-too-big-status.pcap
+websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=60956/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits], client_key=iTel1Ova5Nhz/G7VlI2qKg==, server_accept=YsQYYLj7ZCpzTLsVLb+w/ydy79E=]
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
+websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 31
+websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1009, reason, over size limit (4 > 2 bytes)
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 31, data, \x03\xf1over size limit (4 > 2 bytes)
+websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
+websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close
+two-binary-fragments.pcap
+websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=50198/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits], client_key=cQGA5Z1nvyUJ9XOVIaLaQA==, server_accept=zWaHVUKxEGPDs+xJeKtzkE1bm54=]
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
+websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek
+websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, pong
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, binary, payload_len, 11
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek!
+websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, binary
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, F, rsv, 0, opcode, binary, payload_len, 5
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 5, data, Hello
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, continuation, payload_len, 7
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 7, data,  there!
+websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, binary
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
+websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
+websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close

testing/btest/scripts/base/protocols/websocket/events.zeek

@@ -6,6 +6,10 @@
 # @TEST-EXEC: zeek -b -r $TRACES/websocket/wstunnel-http.pcap %INPUT >>out
 # @TEST-EXEC: echo "broker-websocket.pcap" >>out
 # @TEST-EXEC: zeek -b -r $TRACES//websocket/broker-websocket.pcap %INPUT >>out
+# @TEST-EXEC: echo "message-too-big-status.pcap" >>out
+# @TEST-EXEC: zeek -b -r $TRACES//websocket/message-too-big-status.pcap %INPUT >>out
+# @TEST-EXEC: echo "two-binary-fragments.pcap" >>out
+# @TEST-EXEC: zeek -b -r $TRACES//websocket/two-binary-fragments.pcap %INPUT >>out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f weird.log