From c89c09fda36f1deaeb75091f3d628603bdace8e2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 10 Sep 2018 19:06:35 -0500
Subject: [PATCH] Fix invalid memory free when using
 Log::default_field_name_map

---
 src/logging/Manager.cc                           |   2 +-
 .../conn.log                                     |  10 ++++++++++
 .../btest/Traces/auth_change_session_keys.pcap   | Bin 0 -> 838 bytes
 .../base/frameworks/logging/field-name-map2.bro  |  15 +++++++++++++++
 4 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log
 create mode 100644 testing/btest/Traces/auth_change_session_keys.pcap
 create mode 100644 testing/btest/scripts/base/frameworks/logging/field-name-map2.bro

diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index ce32165177..83fe474690 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -875,7 +875,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 					if ( (val = filter->field_name_map->Lookup(fn, false)) != 0 )
 						{
 						delete [] filter->fields[j]->name;
-						filter->fields[j]->name = val->AsStringVal()->CheckString();
+						filter->fields[j]->name = copy_string(val->AsStringVal()->CheckString());
 						}
 					delete fn;
 					}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log
new file mode 100644
index 0000000000..1c3ca4480d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-09-11-00-03-40
+#fields	ts	uid	src_ip	src_port	dst_ip	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1427304960.695733	CHhAvVGS1DHFjwGM9	192.168.1.2	49159	192.168.1.1	20000	tcp	-	0.463113	120	0	S0	-	-	0	SAD	5	332	0	0	-
+#close	2018-09-11-00-03-40
diff --git a/testing/btest/Traces/auth_change_session_keys.pcap b/testing/btest/Traces/auth_change_session_keys.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..32ff0f71514209c4f2eaa120b7c7ae7e84b92028
GIT binary patch
literal 838
zcmca|c+)~A1{MYcU}0bcaXtx!Zk@};-~?oXFb9MBfBmCC^3n6v91N}u3?>Z54h#)!
z<+cY_Ffsu#;{kR*1<yMv8$p^Im=qZJ*%=s^SXj3(GBa~9GO{p%Oq@Os#YC`K5OYB$
zGU|a$WMBZB1~k=A;Q;$X+YfO-Q#UmTDKIowVVbya0T+V}&_)o(aH9r;3D}JuXl~pD
zG&MdzfRSOY4#>4&0CZh67dL}9kORUPX4x{Bg3U6*YL)~e!&_qp2G$h5BP<Ne47ryN
z98{=aVP|AynCAfUcu*}jLmbdp5QYUJ+~Wa^`dB?45A^u)0HD#$(?CYcyD&4bFqr5a
zIM_Uap@KD<kslmWjGbx>jG!niE=euR>jl}?`jUrXCeS7j#_&itgBi%Svd3s1ISvez
zc93oRfvJHtB?Rn|T{{mRQm9~yW^{wt#UMGu#bDe2x*OT&wr*}Nwlz+gs=s`5h>WF>
z@4nWb!ndBC<=tI$YugUVJKA}C7F&OM<{AcUPMfj)uBS`D^PtY2$BJ4FdUMuaf9}8m
za_G5fd<+FZM}ja$up}`WU=5ab&pWAF;9yw+a;QEySjv|lJOm9Ec?Kq+ag2}a8Gy+S
z5-e)!iPw$IHk{x~ws?F>u2$t|>Sq&1p#60@O!!idImrHUSJZ$?)dB|8K~U<M69lve
F3;<zd>)`+Z

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/frameworks/logging/field-name-map2.bro b/testing/btest/scripts/base/frameworks/logging/field-name-map2.bro
new file mode 100644
index 0000000000..e51bcd6580
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/field-name-map2.bro
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro -b -r $TRACES/auth_change_session_keys.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+
+# The other tests of Log::default_field_name_map used to not catch an invalid
+# memory free for some reason, but this test did reproduce a crash
+# consistently (now fixed).
+
+@load base/protocols/conn
+
+redef Log::default_field_name_map = {
+	["id.orig_h"] = "src_ip",
+	["id.orig_p"] = "src_port",
+	["id.resp_h"] = "dst_ip",
+	["id.resp_p"] = "dst_port"
+};