Statically lookup field offsets for connection values in UDP and ICMP analyzers

2025-10-04 15:48:19 +00:00 · 2025-04-14 20:32:42 -07:00 · 2025-04-14 20:32:42 -07:00 · c2d8bc0620
commit c2d8bc0620
parent 928b648f93
4 changed files with 19 additions and 14 deletions
--- a/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc
@ -22,20 +22,22 @@ void ICMPSessionAdapter::AddExtraAnalyzers(Connection* conn) {
 }
 void ICMPSessionAdapter::UpdateConnVal(zeek::RecordVal* conn_val) {
-    const auto& orig_endp = conn_val->GetField("orig");
+    static const auto& conn_type = zeek::id::find_type<zeek::RecordType>("connection");
-    const auto& resp_endp = conn_val->GetField("resp");
+    static const int origidx = conn_type->FieldOffset("orig");
    static const int respidx = conn_type->FieldOffset("resp");
    auto* orig_endp_val = conn_val->GetFieldAs<RecordVal>(origidx);
    auto* resp_endp_val = conn_val->GetFieldAs<RecordVal>(respidx);
-    UpdateEndpointVal(orig_endp, true);
+    UpdateEndpointVal(orig_endp_val, true);
-    UpdateEndpointVal(resp_endp, false);
+    UpdateEndpointVal(resp_endp_val, false);
    analyzer::Analyzer::UpdateConnVal(conn_val);
 }
-void ICMPSessionAdapter::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig) {
+void ICMPSessionAdapter::UpdateEndpointVal(RecordVal* endp, bool is_orig) {
    Conn()->EnableStatusUpdateTimer();
    int size = is_orig ? request_len : reply_len;
    auto endp = endp_arg->AsRecordVal();
    if ( size < 0 ) {
        endp->Assign(0, val_mgr->Count(0));
--- a/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.h
+++ b/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.h
@ -13,7 +13,6 @@ public:
    void AddExtraAnalyzers(Connection* conn) override;
    void UpdateConnVal(RecordVal* conn_val) override;
    void UpdateEndpointVal(const ValPtr& endp, bool is_orig);
    void UpdateLength(bool is_orig, int len);
    void Done() override;
@ -22,6 +21,8 @@ public:
    void MatchEndpoint(const u_char* data, int len, bool is_orig);
 private:
    void UpdateEndpointVal(RecordVal* endp, bool is_orig);
    zeek::detail::RuleMatcherState matcher_state;
    int request_len = -1;
    int reply_len = -1;
--- a/src/packet_analysis/protocol/udp/UDPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/udp/UDPSessionAdapter.cc
@ -23,19 +23,21 @@ void UDPSessionAdapter::AddExtraAnalyzers(Connection* conn) {
 }
 void UDPSessionAdapter::UpdateConnVal(RecordVal* conn_val) {
-    auto orig_endp = conn_val->GetField("orig");
+    static const auto& conn_type = zeek::id::find_type<zeek::RecordType>("connection");
-    auto resp_endp = conn_val->GetField("resp");
+    static const int origidx = conn_type->FieldOffset("orig");
    static const int respidx = conn_type->FieldOffset("resp");
    auto* orig_endp_val = conn_val->GetFieldAs<RecordVal>(origidx);
    auto* resp_endp_val = conn_val->GetFieldAs<RecordVal>(respidx);
-    UpdateEndpointVal(orig_endp, true);
+    UpdateEndpointVal(orig_endp_val, true);
-    UpdateEndpointVal(resp_endp, false);
+    UpdateEndpointVal(resp_endp_val, false);
    // Call children's UpdateConnVal
    Analyzer::UpdateConnVal(conn_val);
 }
-void UDPSessionAdapter::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig) {
+void UDPSessionAdapter::UpdateEndpointVal(RecordVal* endp, bool is_orig) {
    zeek_int_t size = is_orig ? request_len : reply_len;
    auto endp = endp_arg->AsRecordVal();
    if ( size < 0 ) {
        endp->Assign(0, val_mgr->Count(0));
--- a/src/packet_analysis/protocol/udp/UDPSessionAdapter.h
+++ b/src/packet_analysis/protocol/udp/UDPSessionAdapter.h
@ -24,7 +24,7 @@ public:
    uint32_t rep_chk_thresh = 1;
 private:
-    void UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig);
+    void UpdateEndpointVal(RecordVal* endp_arg, bool is_orig);
    void ChecksumEvent(bool is_orig, uint32_t threshold);
    zeek_int_t request_len = -1;