Fix delay in disabling file analyzers.

When a file analyzer signaled being done with data delivery, the analyzer would only be scheduled for removal at that poing, meaning it could still receive more data until that action actually took effect. Now we make sure to not send any more data to an analyzer.
2025-10-03 15:18:20 +00:00 · 2017-01-28 12:07:42 -08:00 · 2017-01-28 12:07:42 -08:00 · fead5f5d5e
commit fead5f5d5e
parent 3ce6a031d4
2 changed files with 43 additions and 9 deletions
--- a/src/file_analysis/Analyzer.h
+++ b/src/file_analysis/Analyzer.h
@ -123,6 +123,21 @@ public:
 	void SetGotStreamDelivery()
 		{ got_stream_delivery = true; }

+	/**
+	 * Signals that the analyzer is to skip all further input
+	 * processsing. This won't have an immediate effect internally, but
+	 * the flag can be queried through Skipping().
+	 *
+	 * @param do_skip If true, further processing will be skipped.
+	 */
+	void SetSkip(bool do_skip)		{ skip = do_skip; }
+
+	/**
+	 * Returns true if the analyzer has been told to skip processing all
+	 * further input.
+	 */
+	bool Skipping() const			{ return skip; }
+
 protected:

 	/**
@ -136,7 +151,8 @@ protected:
 	    : tag(arg_tag),
 	      args(arg_args->Ref()->AsRecordVal()),
 	      file(arg_file),
-	      got_stream_delivery(false)
+	      got_stream_delivery(false),
+	      skip(false)
 		{
 		id = ++id_counter;
 		}
@ -154,7 +170,8 @@ protected:
 	    : tag(),
 	      args(arg_args->Ref()->AsRecordVal()),
 	      file(arg_file),
-	      got_stream_delivery(false)
+	      got_stream_delivery(false),
+	      skip(false)
 		{
 		id = ++id_counter;
 		}
@ -166,6 +183,7 @@ private:
 	RecordVal* args;	/**< \c AnalyzerArgs val gives tunable analyzer params. */
 	File* file;	/**< The file to which the analyzer is attached. */
 	bool got_stream_delivery;
+	bool skip;

 	static ID id_counter;
 };
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -394,9 +394,15 @@ void File::DeliverStream(const u_char* data, uint64 len)
 			// Catch this analyzer up with the BOF buffer.
 			for ( int i = 0; i < num_bof_chunks_behind; ++i )
 				{
-				if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(),
-				                        bof_buffer.chunks[i]->Len()) )
-					analyzers.QueueRemove(a->Tag(), a->Args());
+				if ( ! a->Skipping() )
+					{
+					if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(),
+								bof_buffer.chunks[i]->Len()) )
+						{
+						a->SetSkip(true);
+						analyzers.QueueRemove(a->Tag(), a->Args());
+						}
+					}

 				bytes_delivered += bof_buffer.chunks[i]->Len();
 				}
@ -406,8 +412,14 @@ void File::DeliverStream(const u_char* data, uint64 len)
 			// Analyzer should be fully caught up to stream_offset now.
 			}

-		if ( ! a->DeliverStream(data, len) )
-			analyzers.QueueRemove(a->Tag(), a->Args());
+		if ( ! a->Skipping() )
+			{
+			if ( ! a->DeliverStream(data, len) )
+				{
+				a->SetSkip(true);
+				analyzers.QueueRemove(a->Tag(), a->Args());
+				}
+			}
 		}

 	stream_offset += len;
@ -471,9 +483,13 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
 	while ( (a = analyzers.NextEntry(c)) )
 		{
 		DBG_LOG(DBG_FILE_ANALYSIS, "chunk delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
-		if ( ! a->DeliverChunk(data, len, offset) )
+		if ( ! a->Skipping() )
 			{
-			analyzers.QueueRemove(a->Tag(), a->Args());
+			if ( ! a->DeliverChunk(data, len, offset) )
+				{
+				a->SetSkip(true);
+				analyzers.QueueRemove(a->Tag(), a->Args());
+				}
 			}
 		}