Merge remote-tracking branch 'origin/topic/jsiwek/gh-1321-fix-connection-status-update-event'

* origin/topic/jsiwek/gh-1321-fix-connection-status-update-event: GH-1321: Prevent compounding of `connection_status_update` event timers
2025-10-02 14:48:21 +00:00 · 2020-12-09 10:51:49 -08:00 · 2020-12-09 10:51:49 -08:00 · 2ae452d8aa
commit 2ae452d8aa
parent 70d557c659 a35cd2a726
6 changed files with 35 additions and 1 deletions
--- a/14
+++ b/14
@ -1,4 +1,18 @@

+3.3.0-dev.634 | 2020-12-09 10:51:49 -0800
+
+  * GH-1321: Prevent compounding of `connection_status_update` event timers (Jon Siwek, Corelight)
+
+    Particularly for ICMP connections, a new timer got added every time a
+    `connection` record was updated even if there was still a pending timer
+    for that connection.
+
+  * Update Debug.cc to use setsignal() wrapper (Jon Siwek, Corelight)
+
+    So as to prefer sigaction() over either sigset() or signal(), which are
+    less favorable due to underspecification issues and some treating them
+    as obsolete/deprecated.
+
 3.3.0-dev.630 | 2020-12-07 16:52:52 -0800

  * Fix narrowing conversion compiler error in SMB error-response logic (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-3.3.0-dev.630
+3.3.0-dev.634
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -322,6 +322,9 @@ void Connection::SetInactivityTimeout(double timeout)

 void Connection::EnableStatusUpdateTimer()
 	{
+	if ( installed_status_timer )
+		return;
+
 	if ( connection_status_update && zeek::detail::connection_status_update_interval )
 		{
 		ADD_TIMER(&Connection::StatusUpdateTimer,
--- a/testing/btest/Baseline/core.connection_status_update/out
+++ b/testing/btest/Baseline/core.connection_status_update/out
@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+new_connection, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 1, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 2, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 3, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 4, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
--- a/testing/btest/Traces/icmp/5-pings.pcap
+++ b/testing/btest/Traces/icmp/5-pings.pcap
--- a/testing/btest/core/connection_status_update.zeek
+++ b/testing/btest/core/connection_status_update.zeek
@ -0,0 +1,11 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/icmp/5-pings.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+global update_count = 0;
+global connection_status_update_interval = 1sec;
+
+event new_connection(c: connection)
+	{ print "new_connection", c$id; }
+
+event connection_status_update(c: connection)
+	{ print "connection_status_update", ++update_count, c$id; }