Fix Queue and Event Parse bugs
- Improved Queue's detection of out of bounds cursor - Fixed parsing/handling of empty event records
This commit is contained in:
Tad Glines
Родитель
2db4808b17
Коммит
3760222052
12
Queue.cpp
12
Queue.cpp
|
|
@ -636,11 +636,17 @@ int Queue::Get(QueueCursor last, void*ptr, size_t* size, QueueCursor *item_curso
|
||||||
} else if (last.IsTail() || index > _data_size-sizeof(BlockHeader)) {
|
} else if (last.IsTail() || index > _data_size-sizeof(BlockHeader)) {
|
||||||
index = _tail;
|
index = _tail;
|
||||||
} else {
|
} else {
|
||||||
BlockHeader* hdr = reinterpret_cast<BlockHeader*>(_ptr+index);
|
if (last.id >= _next_id) {
|
||||||
if (hdr->id != last.id || hdr->state != ITEM) {
|
index = _head;
|
||||||
|
} else if (last.id < reinterpret_cast<BlockHeader*>(_ptr+_tail)->id) {
|
||||||
index = _tail;
|
index = _tail;
|
||||||
} else {
|
} else {
|
||||||
index += sizeof(BlockHeader)+hdr->size;
|
BlockHeader *hdr = reinterpret_cast<BlockHeader *>(_ptr + index);
|
||||||
|
if (hdr->id != last.id || hdr->state != ITEM) {
|
||||||
|
index = _tail;
|
||||||
|
} else {
|
||||||
|
index += sizeof(BlockHeader) + hdr->size;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
BlockHeader* hdr = reinterpret_cast<BlockHeader*>(_ptr+index);
|
BlockHeader* hdr = reinterpret_cast<BlockHeader*>(_ptr+index);
|
||||||
|
|
|
||||||
|
|
@ -140,6 +140,10 @@ int RawEventAccumulator::AddRecord(std::unique_ptr<RawEventRecord> record) {
|
||||||
_bytes_metric->Add(static_cast<double>(record->GetSize()));
|
_bytes_metric->Add(static_cast<double>(record->GetSize()));
|
||||||
_record_metric->Add(1.0);
|
_record_metric->Add(1.0);
|
||||||
|
|
||||||
|
if (record->IsEmpty()) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
auto event_id = record->GetEventId();
|
auto event_id = record->GetEventId();
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
auto found = _events.on(event_id, [this,&record,&ret](const std::chrono::steady_clock::time_point& last_touched, std::shared_ptr<RawEvent>& event) {
|
auto found = _events.on(event_id, [this,&record,&ret](const std::chrono::steady_clock::time_point& last_touched, std::shared_ptr<RawEvent>& event) {
|
||||||
|
|
|
||||||
|
|
@ -189,36 +189,38 @@ bool RawEventProcessor::process_syscall_event(const Event& event) {
|
||||||
for (auto& rec: event) {
|
for (auto& rec: event) {
|
||||||
switch(static_cast<RecordType>(rec.RecordType())) {
|
switch(static_cast<RecordType>(rec.RecordType())) {
|
||||||
case RecordType::SYSCALL:
|
case RecordType::SYSCALL:
|
||||||
rec_type = RecordType::AUOMS_SYSCALL;
|
if (!syscall_rec) {
|
||||||
rec_type_name = auoms_syscall_name;
|
rec_type = RecordType::AUOMS_SYSCALL;
|
||||||
for (auto &f : rec) {
|
rec_type_name = auoms_syscall_name;
|
||||||
auto fname = f.FieldName();
|
for (auto &f : rec) {
|
||||||
switch (fname[0]) {
|
auto fname = f.FieldName();
|
||||||
case 't': {
|
switch (fname[0]) {
|
||||||
if (fname != SV_TYPE) {
|
case 't': {
|
||||||
|
if (fname != SV_TYPE) {
|
||||||
|
num_fields += 1;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
case 'i': {
|
||||||
|
if (fname != SV_ITEMS) {
|
||||||
|
num_fields += 1;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
case 's': {
|
||||||
|
if (fname == SV_SYSCALL) {
|
||||||
|
syscall_field = f;
|
||||||
|
}
|
||||||
num_fields += 1;
|
num_fields += 1;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
break;
|
default:
|
||||||
}
|
|
||||||
case 'i': {
|
|
||||||
if (fname != SV_ITEMS) {
|
|
||||||
num_fields += 1;
|
num_fields += 1;
|
||||||
}
|
break;
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
case 's': {
|
|
||||||
if (fname == SV_SYSCALL) {
|
|
||||||
syscall_field = f;
|
|
||||||
}
|
|
||||||
num_fields += 1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
num_fields += 1;
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
|
syscall_rec = rec;
|
||||||
}
|
}
|
||||||
syscall_rec = rec;
|
|
||||||
break;
|
break;
|
||||||
case RecordType::EXECVE: {
|
case RecordType::EXECVE: {
|
||||||
if (rec.NumFields() > 0) {
|
if (rec.NumFields() > 0) {
|
||||||
|
|
|
||||||
|
|
@ -155,7 +155,7 @@ bool RawEventRecord::Parse(RecordType record_type, size_t size) {
|
||||||
while(itr.next()) {
|
while(itr.next()) {
|
||||||
_record_fields.push_back(itr.value());
|
_record_fields.push_back(itr.value());
|
||||||
}
|
}
|
||||||
return _record_fields.size() > 0 || _record_type == RecordType::EOE;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
|
|
|
||||||
|
|
@ -39,6 +39,7 @@ public:
|
||||||
inline EventId GetEventId() { return _event_id; }
|
inline EventId GetEventId() { return _event_id; }
|
||||||
inline RecordType GetRecordType() { return _record_type; }
|
inline RecordType GetRecordType() { return _record_type; }
|
||||||
inline size_t GetSize() { return _size; }
|
inline size_t GetSize() { return _size; }
|
||||||
|
inline bool IsEmpty() { return _record_fields.empty(); }
|
||||||
|
|
||||||
private:
|
private:
|
||||||
std::array<char, MAX_RECORD_SIZE> _data;
|
std::array<char, MAX_RECORD_SIZE> _data;
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
|
|
||||||
AUOMS_BUILDVERSION_MAJOR=2
|
AUOMS_BUILDVERSION_MAJOR=2
|
||||||
AUOMS_BUILDVERSION_MINOR=1
|
AUOMS_BUILDVERSION_MINOR=1
|
||||||
AUOMS_BUILDVERSION_PATCH=5
|
AUOMS_BUILDVERSION_PATCH=6
|
||||||
AUOMS_BUILDVERSION_BUILDNR=0
|
AUOMS_BUILDVERSION_BUILDNR=0
|
||||||
AUOMS_BUILDVERSION_DATE=20200427
|
AUOMS_BUILDVERSION_DATE=20200429
|
||||||
AUOMS_BUILDVERSION_STATUS=Developer_Build
|
AUOMS_BUILDVERSION_STATUS=Developer_Build
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче