From 396fb895044db228d1f82b2876d5f0f036b0a2b3 Mon Sep 17 00:00:00 2001 From: Benjamin Bannier Date: Tue, 19 Jul 2022 12:20:45 +0200 Subject: [PATCH] Remove use of fallible `get_conn_transport_proto` in `analyzer_violation`. When setting up the DPD info we previously would get the `transport_proto` for the connection with `get_conn_transport_proto`. This function takes a `conn_id` and would fail fatally if the connection for the given ID was unknown. It seems it was possible to run into such scenarios when the `analyzer_violation` event was processed after the connection had been cleaned up. We now get the `transport_proto` directly from the ports in the `connection` passed into `analyzer_violation` via `get_port_transport_proto` which cannot fail. --- scripts/base/frameworks/dpd/main.zeek | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/frameworks/dpd/main.zeek b/scripts/base/frameworks/dpd/main.zeek index b00a600dc1..7e8283b2c7 100644 --- a/scripts/base/frameworks/dpd/main.zeek +++ b/scripts/base/frameworks/dpd/main.zeek @@ -79,7 +79,7 @@ event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, info$ts=network_time(); info$uid=c$uid; info$id=c$id; - info$proto=get_conn_transport_proto(c$id); + info$proto=get_port_transport_proto(c$id$orig_p); info$analyzer=analyzer; info$failure_reason=reason; c$dpd = info;