Fix SumStats::observe key normalization logic

The loop over Reducers in SumStats::observe performs a key normalization and inadvertently modifies the key used for subsequent iterations. Reported by Jim Mellander.
2025-10-05 16:18:19 +00:00 · 2018-08-13 17:40:06 -05:00 · 2018-08-13 17:40:06 -05:00 · 5821c16490
commit 5821c16490
parent 2d47586473
3 changed files with 8 additions and 4 deletions
--- a/5
+++ b/5
@ -1,4 +1,9 @@

+2.5-840 | 2018-08-13 17:40:06 -0500
+
+  * Fix SumStats::observe key normalization logic
+    (reported by Jim Mellander and fixed by Jon Siwek, Corelight)
+
 2.5-839 | 2018-08-13 10:51:43 -0500

  * Make options redef-able by default. (Johanna Amann, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-2.5-839
+2.5-840
--- a/scripts/base/frameworks/sumstats/main.bro
+++ b/scripts/base/frameworks/sumstats/main.bro
@ -399,7 +399,7 @@ function create(ss: SumStat)
 	schedule ss$epoch { SumStats::finish_epoch(ss) };
 	}

-function observe(id: string, key: Key, obs: Observation)
+function observe(id: string, orig_key: Key, obs: Observation)
 	{
 	if ( id !in reducer_store )
 		return;
@ -407,8 +407,7 @@ function observe(id: string, key: Key, obs: Observation)
 	# Try to add the data to all of the defined reducers.
 	for ( r in reducer_store[id] )
 		{
-		if ( r?$normalize_key )
-			key = r$normalize_key(copy(key));
+		local key = r?$normalize_key ? r$normalize_key(copy(orig_key)) : orig_key;

 		# If this reducer has a predicate, run the predicate
 		# and skip this key if the predicate return false.
 @ -1 +1 @@
 .5-839
 .5-840