From bc868d72a19488a6fd43dc83f8ab05e3a9225b07 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 17 May 2016 16:13:33 -0700 Subject: [PATCH] Fix the way that child analyzers are added. Bro contains functionality to add child analyzers delayed, so that an just added analyzer does not influence the list of current analyzers (which, in some combinations of mostly UDP and traffic replay by PIA can lead to duplicate packets sent to the analyzer). Sadly, this feature was broken sometime in the past, leading to the aforementioned duplicate packets. Re-enabling this also necessitated some changes in the analyzer manager, which immediately timed out all connections when that feature was re-enabled. There currently is no testcase (this is a bit hard to trigger); however, I will add one with a later fix for DTLS. --- src/analyzer/Analyzer.cc | 16 +++++++++++++++- src/analyzer/Analyzer.h | 4 ++++ src/analyzer/Manager.cc | 8 -------- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index b4048af467..5cf3fcb58d 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -395,7 +395,7 @@ bool Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) // the list. analyzer->parent = this; - children.push_back(analyzer); + new_children.push_back(analyzer); if ( init ) analyzer->Init(); @@ -474,6 +474,13 @@ Analyzer* Analyzer::FindChild(ID arg_id) return child; } + LOOP_OVER_GIVEN_CHILDREN(i, new_children) + { + Analyzer* child = (*i)->FindChild(arg_id); + if ( child ) + return child; + } + return 0; } @@ -489,6 +496,13 @@ Analyzer* Analyzer::FindChild(Tag arg_tag) return child; } + LOOP_OVER_GIVEN_CHILDREN(i, new_children) + { + Analyzer* child = (*i)->FindChild(arg_tag); + if ( child ) + return child; + } + return 0; } diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 83157aadde..df77a990ce 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -427,6 +427,10 @@ public: /** * Returns a list of all direct child analyzers. + * + * Note that this does not include the list of analyzers that are + * currently queued up to be added. If you just added an analyzer, + * it will not immediately be in this list. */ const analyzer_list& GetChildren() { return children; } diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 67aa6a0d33..6082f433da 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -361,7 +361,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) icmp::ICMP_Analyzer* icmp = 0; TransportLayerAnalyzer* root = 0; pia::PIA* pia = 0; - bool analyzed = false; bool check_port = false; switch ( conn->ConnTransport() ) { @@ -383,7 +382,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) case TRANSPORT_ICMP: { root = icmp = new icmp::ICMP_Analyzer(conn); DBG_ANALYZER(conn, "activated ICMP analyzer"); - analyzed = true; break; } @@ -495,16 +493,10 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( pia ) root->AddChildAnalyzer(pia->AsAnalyzer()); - if ( root->GetChildren().size() ) - analyzed = true; - conn->SetRootAnalyzer(root, pia); root->Init(); root->InitChildren(); - if ( ! analyzed ) - conn->SetLifetime(non_analyzed_lifetime); - PLUGIN_HOOK_VOID(HOOK_SETUP_ANALYZER_TREE, HookSetupAnalyzerTree(conn)); return true;