- Analyzer: Reduce from 208 bytes to 192 bytes, remove one cache line
- EventGroup: Reduce from 104 bytes to 96 bytes
- Packet: Reduce from 200 bytes to 184 bytes, remove one cache line
- threading::Value: Reduce from 48 bytes to 40 bytes
- ConnTuple: push hole to the end of struct
- TCP_Reassembler: Reduce from 240 bytes to 232 bytes
Depending on an analyzer's implementation, its Done() method may
attempt to access analyzer or connection state when executing.
When this happens in the destructor of the parent analyzer during
the process of destructing a connection, this state may have been
deleted, resulting in use-after-free crashes or worse memory
corruption.
The following cases have been observed in the wild for when this happens.
* PIA matching during Done() for undelivered TCP data enables a Spicy
based analyzer which in turn attempts to raise an analyzer violation
during Done()->EndOfData().
* Spicy analyzers attaching new analyzers during their Done() processing
which in turn attempt to use TCP() (to call FindChild()) during Done()
while the analyzer tree / connection is being destructed.
The second scenario was previously found to happen in the HTTP analyzer
and fixed with 6ef9423f3c.
Plug these scenarios by short-circuiting AddChildAnalyzer() if the analyzer
or connection have finished or are being finished.
This should allow to mangle a Session's history also from packet
analyzers without necessarily knowing the concrete connection type.
Given Connection is a subclass of Session, I don't think this
changes much.
This largely copies over Spicy's `.clang-format` configuration file. The
one place where we deviate is header include order since Zeek depends on
headers being included in a certain order.
This also also combines the old TransportLayerAnalyzer class into
SessionAdapter, and removes the old class. This requires naming changes
in a few places but no functionality changes.
- Add constructors for ConnIDKey, remove BuildConnIDKey()
- Rename protocol stats classes and move to implementation file
- Rename "num" field of protocol stats to "active"
- Explicitly delete copy operations for SessionKey
- Change argument for ProtocolStats methods to const-reference
- Make key validity methods in Session not be virtual
- Rename Session::ClearKey and Session::IsKeyValid
This also includes:
- Deprecating the NetSessions name.
- Renaming the zeek::sessions global to zeek::session_mgr and deprecating the old name.
- Renaming Sessions.{h,cc} to SessionManager.{h,cc}.
This commit also includes:
- Storing the transport protocol in ConnID and ConnIDKey to allow tcp and
udp connections from the same IP/Port combinations. This happens in the
core.cisco-fabric-path test, for example.
- Lots of test updates. The reasons for these are two fold. First, with
the change to only store a single map means that TCP, UDP, and ICMP
connections are now mixed. When Zeek drains the map at shutdown, it drains
each of those protocols together instead of separately. The second is
because of how Sessions are stored in the map. We're now storing them
keyed by the hash of the key stored by the Session objects, which causes
them to again be in the map in a different order.
* origin/topic/timw/266-namespaces-part4: (34 commits)
Add missing namespace to usage of get_exe_path in fuzzer
Rename methods in RunState to remove 'net' from their names
Move zeek::net namespace to zeek::run_state namespace.
Move ScannedFile class and associated globals into ScannedFile.h and out of Net.h and scan.l
Rename types in ZeekList.h to be consistent with the style guide
Move NetVar from zeek to zeek::detail namespace
Remove PRI_PTR_COMPAT macros
Fix indentation of namespaced aliases
Move zeek-setup code into namespaces
Move ZeekList types to zeek namespace
Move __RegisterBif from zeek::detail::plugin to zeek::plugin::detail
Remove unimplemented zeek_magic_path/bro_magic_path method
Move all plugin classes into zeek::plugin::detail namespaces
Rename BroList.h to ZeekList.h
Move a few smaller files to zeek namespaces
Tag the end of some namespaces for consistency
Move a few of the zeek::util methods and variables to zeek::util::detail
Move zeekygen code to zeek::zeekygen::detail namespace
Mark zeek::util::pad_size as constexpr, which provides a small performance improvement
Move everything in util.h to zeek::util namespace.
...
