From 0eccd8a7a2737c9bcf61e8439f396d85c5f6f68a Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Thu, 23 Mar 2023 17:08:14 +0100
Subject: [PATCH] generic-analyzer-fuzzer: Detect disable_analyzer() from
 scripts

Test if the analyzer is removed from the TCPSessionAdapter during
event processing. If we don't do this, we continue feeding the analyzer
even if scripts decided to disable the analyzer.

The analyzer instance isn't flagged as disabled itself, so we need
to look at the parent's children.
---
 src/fuzzers/generic-analyzer-fuzzer.cc | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/fuzzers/generic-analyzer-fuzzer.cc b/src/fuzzers/generic-analyzer-fuzzer.cc
index 20a9aff91f..4526f2edad 100644
--- a/src/fuzzers/generic-analyzer-fuzzer.cc
+++ b/src/fuzzers/generic-analyzer-fuzzer.cc
@@ -35,11 +35,12 @@ static zeek::Connection* add_connection()
 	return conn;
 	}
 
-static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn)
+static std::pair<zeek::analyzer::Analyzer*, zeek::packet_analysis::TCP::TCPSessionAdapter*>
+add_analyzer(zeek::Connection* conn, zeek::Tag tag)
 	{
 	auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn);
 	auto* pia = new zeek::analyzer::pia::PIA_TCP(conn);
-	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(TOSTRING(ZEEK_FUZZ_ANALYZER), conn);
+	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(tag, conn);
 	if ( ! a )
 		{
 		fprintf(stderr, "Unknown or unsupported analyzer %s found\n", TOSTRING(ZEEK_FUZZ_ANALYZER));
@@ -49,7 +50,7 @@ static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn)
 	tcp->AddChildAnalyzer(a);
 	tcp->AddChildAnalyzer(pia->AsAnalyzer());
 	conn->SetSessionAdapter(tcp, pia);
-	return a;
+	return {a, tcp};
 	}
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
@@ -59,8 +60,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
 	if ( ! fb.Valid() )
 		return 0;
 
+	auto tag = zeek::analyzer_mgr->GetComponentTag(TOSTRING(ZEEK_FUZZ_ANALYZER));
 	auto conn = add_connection();
-	auto a = add_analyzer(conn);
+	auto [a, tcp] = add_analyzer(conn, tag);
 
 	for ( ;; )
 		{
@@ -79,6 +81,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
 
 		chunk = {};
 		zeek::event_mgr.Drain();
+
+		// Has the analyzer been disabled during event processing?
+		if ( ! tcp->HasChildAnalyzer(tag) )
+			break;
 		}
 
 	zeek::detail::fuzzer_cleanup_one_input();