From fead5f5d5eb296951da0b23ab1cbd3fab7a19e89 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 28 Jan 2017 12:07:42 -0800 Subject: [PATCH] Fix delay in disabling file analyzers. When a file analyzer signaled being done with data delivery, the analyzer would only be scheduled for removal at that poing, meaning it could still receive more data until that action actually took effect. Now we make sure to not send any more data to an analyzer. --- src/file_analysis/Analyzer.h | 22 ++++++++++++++++++++-- src/file_analysis/File.cc | 30 +++++++++++++++++++++++------- 2 files changed, 43 insertions(+), 9 deletions(-) diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index dcb8434a6f..dfe9c795a8 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -123,6 +123,21 @@ public: void SetGotStreamDelivery() { got_stream_delivery = true; } + /** + * Signals that the analyzer is to skip all further input + * processsing. This won't have an immediate effect internally, but + * the flag can be queried through Skipping(). + * + * @param do_skip If true, further processing will be skipped. + */ + void SetSkip(bool do_skip) { skip = do_skip; } + + /** + * Returns true if the analyzer has been told to skip processing all + * further input. + */ + bool Skipping() const { return skip; } + protected: /** @@ -136,7 +151,8 @@ protected: : tag(arg_tag), args(arg_args->Ref()->AsRecordVal()), file(arg_file), - got_stream_delivery(false) + got_stream_delivery(false), + skip(false) { id = ++id_counter; } @@ -154,7 +170,8 @@ protected: : tag(), args(arg_args->Ref()->AsRecordVal()), file(arg_file), - got_stream_delivery(false) + got_stream_delivery(false), + skip(false) { id = ++id_counter; } @@ -166,6 +183,7 @@ private: RecordVal* args; /**< \c AnalyzerArgs val gives tunable analyzer params. */ File* file; /**< The file to which the analyzer is attached. */ bool got_stream_delivery; + bool skip; static ID id_counter; }; diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index ee40c9185d..46e67f7cd8 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -394,9 +394,15 @@ void File::DeliverStream(const u_char* data, uint64 len) // Catch this analyzer up with the BOF buffer. for ( int i = 0; i < num_bof_chunks_behind; ++i ) { - if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(), - bof_buffer.chunks[i]->Len()) ) - analyzers.QueueRemove(a->Tag(), a->Args()); + if ( ! a->Skipping() ) + { + if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(), + bof_buffer.chunks[i]->Len()) ) + { + a->SetSkip(true); + analyzers.QueueRemove(a->Tag(), a->Args()); + } + } bytes_delivered += bof_buffer.chunks[i]->Len(); } @@ -406,8 +412,14 @@ void File::DeliverStream(const u_char* data, uint64 len) // Analyzer should be fully caught up to stream_offset now. } - if ( ! a->DeliverStream(data, len) ) - analyzers.QueueRemove(a->Tag(), a->Args()); + if ( ! a->Skipping() ) + { + if ( ! a->DeliverStream(data, len) ) + { + a->SetSkip(true); + analyzers.QueueRemove(a->Tag(), a->Args()); + } + } } stream_offset += len; @@ -471,9 +483,13 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) while ( (a = analyzers.NextEntry(c)) ) { DBG_LOG(DBG_FILE_ANALYSIS, "chunk delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str()); - if ( ! a->DeliverChunk(data, len, offset) ) + if ( ! a->Skipping() ) { - analyzers.QueueRemove(a->Tag(), a->Args()); + if ( ! a->DeliverChunk(data, len, offset) ) + { + a->SetSkip(true); + analyzers.QueueRemove(a->Tag(), a->Args()); + } } }