Makes testing easier and aligns better with log rotation and timer
expiration. Should not have an effect in practice. Also, log detail
about whether inode or modification time changed, too.
The mmdb references needs to use reset() instead of release()
so that the destructor gets called and the stale DB is actually
cleaned up. Otherwise, the pointer is leaked and the stale DB
remains in memory.
Because EventMgr is defined globally as an object (rather than a global
pointer to an EventMgr object), its pipe is created even before main()
is entered. This further means that in the fork-based supervisor setup,
all Zeek processes created from the top-level supervisor process share
the same pipe object for the EventMgr. In turn, whenever any of the
processes enqueued an event, the flare was fired and ready for reading
on all other processes in the cluster, causing much contention and
unneeded overhead.
Closes#3190
Corpus was generated from a few btest pcaps, fuzzing for 60 seconds
locally and minimizing afterwards as in the documentation.
List of pcaps:
certificate-request-failed.pcap
certificate-with-sct.pcap
cert-no-cn.pcap
chrome-34-google.trace
chrome-63.0.3211.0-canary-tls_experiment.pcap
heartbleed-encrypted.pcap
heartbleed-encrypted-short.pcap
heartbleed-encrypted-success.pcap
heartbleed.pcap
heartbleed-success.pcap
ssl-v2.trace
ssl.v3.trace
tls1_1.pcap
tls-1.2-handshake-failure.trace
tls1.2-protocol-violation.pcap
tls1.2.trace
tls13_wolfssl.pcap
tls-early-alert.trace
For records and enums, the type registration calls could get pretty
large, and then slow to compile. We now build up their vectors
entry by entry instead of all at once.
The fuzzer generated input where data length left was 14 and the amsdu_len
field set to 14. That caused buffer overread due not taking into account
the amsdu header length of 14.
The first pcap only contained packets from the originator, not the responder.
What stands out here is that the Linux kernel doesn't seem to use a symmetric
flow hash for the tunneled connection, resulting in a total of four tunnel
connections for the two inner connections. Sigh.
It is not necessary to allocate and free the context objects used for
HKDF and AES all the time, they can be re-used. The main assumption here
is no cross-thread usage, but this should be guaranteed even with the
fibers: QUIC_decrypt_crypto_payload() always runs to completion.
A pcap with ~12k QUIC connections had ~15% samples in
QUIC_decrypt_crypto_payload. After this change it is down to 5%
of samples. The improvement in runtime is ~16%, 12.2 seconds
to 10.2 seconds.
From zeek/spicy-quic#14
We compared the return value of `sizeof` which returns a `std::size_t`
with an `int` which GCC warned about. This patch changes the `int` to a
`size_t`.
