This controls whether ports given by "udp_content_delivery_ports_orig" and
"udp_content_delivery_ports_orig" are in terms of the UDP packet's
destination port or by the Connection's "responder" port (the former is
the unchanged default behavior).
- Squashed the original commit set
- Cleaned up formatting
- Fixed register_for_ports() for right RDPEUDP analyzer
* topic/ak/rdpeudp:
Add RDP over UDP analyzer
* origin/topic/jsiwek/misc-lambda-fixes:
GH-725: fix logic for finding a lambda's usage of outer IDs
Change record field anonymous functions to use lambda expressions
This changes the decapsulation logic for GRE/ERSPAN payloads to re-use
existing Layer 2 parsing logic that already handles things like 802.1Q
tags correctly before going on to process the inner IPv4/IPv6 payload.
* origin/topic/jsiwek/runtime-exception-leak-cleanup:
Func::DescribeDebug: move a NumFields() call out of loop
Use const-ref parameter for zeek::val_list_to_args()
Fix missing IntrusivePtr.h include and ambiguous ODesc::Add call
Remove TimerMgr arg from event queuing/scheduling methods
Deprecate Analyzer::ConnectionEvent()
Deprecate file_analysis::File::FileEvent methods using val_list args
Deprecate Connection::ConnectionEvent methods
Deprecate EventMgr::QueueEventFast() and update usages to Enqueue()
Deprecate EventMgr::QueueEvent() and update usages to Enqueue()
Deprecate Func::Call(val_list*, ...)
Use vector<IntrusivePtr<Val>> for Func::Call and Event queuing args
Fix memory leak in Zeek when-statement bodies with runtime errors
Change TableVal::RecoverIndex() to return IntrusivePtr
Use IntrusivePtr in TableVal::CallExpireFunc
Fix memory leak when runtime error occurs in a Zeek for-loop
Enable leak checks for btests that produce runtime exceptions
There was an alternate syntax to assign anonymous functions to record
fields that was never migrated to use the new lambda expression
machinery (and so didn't allow referencing variables in outer scope):
type myrec: record {
foo: function(a: string);
};
local o = "o";
local mr = myrec($foo(a: string) = { print a + o; });
These were previously reporting leaks due to various allocations not
getting cleaned up during the stack unwind, but at the current state of
the transition toward IntrusivePtr usage, theses tests no longer leak.
* origin/topic/jsiwek/gh-857-rebuild-tables-on-record-redef:
Initialize RecordVal default fields when redef'd
GH-857: fix redefining record types used to index tables
Change RecordVals to get resized at time of RecordType redef
* 'intrusive_ptr' of https://github.com/MaxKellermann/zeek: (32 commits)
Scope: store IntrusivePtr in `local`
Scope: pass IntrusivePtr to AddInit()
DNS_Mgr: use class IntrusivePtr
Scope: use class IntrusivePtr
Attr: use class IntrusivePtr
Expr: check_and_promote_expr() returns IntrusivePtr
Frame: use class IntrusivePtr
Val: RecordVal::LookupWithDefault() returns IntrusivePtr
Type: RecordType::FieldDefault() returns IntrusivePtr
Val: TableVal::Delete() returns IntrusivePtr
Type: base_type() returns IntrusivePtr
Type: init_type() returns IntrusivePtr
Type: merge_types() returns IntrusivePtr
Type: use class IntrusivePtr in VectorType
Type: use class IntrusivePtr in EnumType
Type: use class IntrusivePtr in FileType
Type: use class IntrusivePtr in TypeDecl
Type: make TypeDecl `final` and the dtor non-`virtual`
Type: use class IntrusivePtr in TypeType
Type: use class IntrusivePtr in FuncType
...
* The compression capability was incorrectly set to 0x0004 instead of 0x0003
* The padding was 4-byte instead of 8-byte aligned and also the spec.
does not strictly require the padding for the last item in the list.
* Add a default case to handle parsing of unknown context types.
This change tracks all TableVals created at parse-time whose index
depends on a given RecordType. Should that RecordType be redef'd, those
TableVals are immediately rebuilt such that they are valid to
subsequently use in either parse-time initializations or eventually in
any arbitrary run-time expression.
* topic/johanna/gh-744-cache-the-heck-out-of-these-certs:
X509 caching API change: callback gets entry directly
Address feedback
Small default updates & external baselines.
X509 caching: small API changes, tests & test updates
Certificate caching - now working in principle.
First (sadly not completely working) approach at caching X509 certificates
Changed some configuration defaults to potentially more same values.
The callback function is now a hook to allow costomization of the events
that are raised.
Tests now exist. Test baselines are updated.
Added a comment to clarify comparison of EOF packet length to 13.
* origin/topic/vladg/gh-843:
Update baselines
Made additional MySQL fixes.
Add support to MySQL for deprecation of EOF packets.
Whitespace cleanup & fixes
Fix EOF detection in the MySQL protocol analyzer.
* origin/topic/jsiwek/32bit-compat:
Improve formatting of doubles that are close to integers
Improve HTTP version number comparisons
Add a 32-bit task to Cirrus CI config
Replace va_list fmt() overload with vfmt()
Format tables indexed by patterns consistently across 32-bit/64-bit
Format interval values consistently across 32-bit/64-bit platforms
A race condition could cause unstable output: if the thread reading the
file is fast, often you see both "pred" functions execute and then both
"line" events execute with both entries already in the table, but if the
thread reading the file is slow, you see pred, event, pred, event, with
only one entry available in the first event.
The order in which &expire_func's get called isn't well-defined, so
separate the output from either to ensure diffs against the Baseline are
always consistent.
* Generally increase timeouts for tests that have recent transient
failures
* Change any test that relied on `btest-bg-wait -k` since that's never
going to play with with CI systems. Instead, we always need to have
a well-defined termination condition in the test itself (and most
already did, so didn't really need the `-k` flag anyway).
* origin/topic/johanna/table-on-change:
&on_change: Address feedback of Jon.
&on_change: incooperate feedback of Jon.
&on_change wrapup: documentation, tests, whitespacing
Table expiry now raises &on_change handlers
Prevent recursion of &on_change handlers.
Make bro_broker::val_to_data take a const Val* instead of a Val
&on_change: add insertion/change notifications.
&on_change working for removals from tables.
Change signature of &on_change handler
Beginning implementation of &on_change for tables.
Logs that got sent sparsely or burstily would get buffered for long
periods of time since the logic to flush them only does so on the next
log write. In the worst case, a subsequent log write could never happen
and cause a log entry to be indefinitely buffered.
This fix introduces a recurring event/timer to simply flush all pending
logs at frequency of Broker::log_batch_interval.
