From a35cd2a726a59419e7e91d30dac19aedd850cdd1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 8 Dec 2020 11:20:02 -0800
Subject: [PATCH] GH-1321: Prevent compounding of `connection_status_update`
 event timers

Particularly for ICMP connections, a new timer got added every time a
`connection` record was updated even if there was still a pending timer
for that connection.
---
 src/Conn.cc                                      |   3 +++
 .../Baseline/core.connection_status_update/out   |   6 ++++++
 testing/btest/Traces/icmp/5-pings.pcap           | Bin 0 -> 1164 bytes
 testing/btest/core/connection_status_update.zeek |  11 +++++++++++
 4 files changed, 20 insertions(+)
 create mode 100644 testing/btest/Baseline/core.connection_status_update/out
 create mode 100644 testing/btest/Traces/icmp/5-pings.pcap
 create mode 100644 testing/btest/core/connection_status_update.zeek

diff --git a/src/Conn.cc b/src/Conn.cc
index 8baf383cfb..1a27863f94 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -322,6 +322,9 @@ void Connection::SetInactivityTimeout(double timeout)
 
 void Connection::EnableStatusUpdateTimer()
 	{
+	if ( installed_status_timer )
+		return;
+
 	if ( connection_status_update && zeek::detail::connection_status_update_interval )
 		{
 		ADD_TIMER(&Connection::StatusUpdateTimer,
diff --git a/testing/btest/Baseline/core.connection_status_update/out b/testing/btest/Baseline/core.connection_status_update/out
new file mode 100644
index 0000000000..8488912f19
--- /dev/null
+++ b/testing/btest/Baseline/core.connection_status_update/out
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+new_connection, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 1, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 2, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 3, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+connection_status_update, 4, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
diff --git a/testing/btest/Traces/icmp/5-pings.pcap b/testing/btest/Traces/icmp/5-pings.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..61e32c996e4d5a5e0f1c9a4b946fe2977f828979
GIT binary patch
literal 1164
zcmca|c+)~A1{MYcU}0bca=Oo-kAK3;&yWOUgYdHE=R6Zq7<e?#8;Ei+xH2$=Ov!R!
zaA4favPPhlY0XV;KMscXDlDfM7(qHgrrieW1_1#<Az=|wF>wh=DQOv5Ie7&|C1n*=
zHFXV5Eo~iLJ$(a1BV!X&GxHvxzIY>uZ6F&Vc0ud~+Ni(~0un4_Oz;QU2C|ib;XB1P
zrVHZr<2sNZ_Z&d@v0MS@M<$S4L9Ph`>IMN~{n!iC_e+yBKh{%hqn-#pKTb6R`_Tg7
z$4xRoKQe>d3i6v6P&Wt=>&HHzK9>N}{J4u^8<&aU_2X=iA9r6y_|ZfX=tmZiTS0!C
z4Acz*#QL!xsBfP)X@0b!*v4cje14oJ4EAF*!jCl~KtHmA+zRrW7f?3{5bMVYKz)W@
Kr1`OhA{zmdnDs3H

literal 0
HcmV?d00001

diff --git a/testing/btest/core/connection_status_update.zeek b/testing/btest/core/connection_status_update.zeek
new file mode 100644
index 0000000000..6716113fab
--- /dev/null
+++ b/testing/btest/core/connection_status_update.zeek
@@ -0,0 +1,11 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/icmp/5-pings.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+global update_count = 0;
+global connection_status_update_interval = 1sec;
+
+event new_connection(c: connection)
+	{ print "new_connection", c$id; }
+
+event connection_status_update(c: connection)
+	{ print "connection_status_update", ++update_count, c$id; }