GH-1506: Fix Broker unserialization of set/table function indices

Zeek function types are serialized as a broker::vector, but the unserialization logic for Zeek set/table types that use a function for as an index incorrectly identified it as a composite-index, which also use broker::vector, rather than a singleton-index, and makes such unserialization fail. A general example where this failure can happen in practice is when trying to unserialize a connection record for which there's a Conn::RemovalHook, since that's a set[function], and a specific case of that is use of the Intel Framework in a Zeek cluster.
2025-10-13 20:18:20 +00:00 · 2021-04-14 20:39:22 -07:00 · 2021-04-14 20:39:22 -07:00 · d3ace9b7ac
commit d3ace9b7ac
parent 0c93e2fcb8
5 changed files with 296 additions and 16 deletions
--- a/testing/btest/scripts/policy/frameworks/intel/seen/smtp-cluster.zeek
+++ b/testing/btest/scripts/policy/frameworks/intel/seen/smtp-cluster.zeek
@ -0,0 +1,98 @@
+# @TEST-PORT: BROKER_PORT1
+# @TEST-PORT: BROKER_PORT2
+
+# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
+# @TEST-EXEC: btest-bg-wait 90
+
+# @TEST-EXEC: btest-diff manager-1/intel.log
+
+@TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+example@gmail.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
+@TEST-END-FILE
+
+@TEST-START-FILE cluster-layout.zeek
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
+};
+@TEST-END-FILE
+
+@load base/frameworks/cluster
+@load base/frameworks/intel
+@load frameworks/intel/seen
+
+redef Log::default_rotation_interval = 0secs;
+redef Intel::read_files += { "../intel.dat" };
+
+global done_reading = F;
+global connected = F;
+global log_count = 0;
+
+event zeek_init()
+	{
+	Broker::subscribe("test");
+	}
+
+hook my_removal_hook(c: connection)
+	{
+	}
+
+event proceed()
+	{
+	# This is an entirely artificial connection record because reading from
+	# a real pcap tends to make this test timeout on CI under ASan.
+	local c = connection(
+			$id = conn_id($orig_h=1.1.1.1, $orig_p=1/tcp,
+			              $resp_h=2.2.2.2, $resp_p=2/tcp),
+			$orig = endpoint($size=1, $state=4, $flow_label=0),
+			$resp = endpoint($size=1, $state=4, $flow_label=0),
+			$start_time=current_time(),
+			$duration=1sec,
+			$service=set("smtp"),
+			$history="ShAdDa",
+			$uid="CHhAvVGS1DHFjwGM9",
+			$removal_hooks=set(my_removal_hook)
+	);
+
+	local iseen = Intel::Seen(
+			$indicator="example@gmail.com",
+			$indicator_type=Intel::EMAIL,
+			$where=Intel::IN_ANYWHERE,
+			$conn=c
+	);
+	Intel::seen(iseen);
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	connected = T;
+
+	if ( done_reading )
+		Broker::publish("test", proceed);
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	terminate();
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	done_reading = T;
+
+	if ( connected )
+		Broker::publish("test", proceed);
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	terminate();
+	}