You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like input-framework does not like when a value in a table is deleted twice, albeit accidentally.
Core was generated by `/usr/local/zeek-6.2.0/bin/zeek -i myri0 -U .status -p zeekctl -p zeekctl-live -p'.
Program terminated with signal SIGSEGV, Segmentation fault.
Address not mapped to object.
#0 zeek::Ref (o=0x0) at /usr/local/src/zeek-6.2.0/src/include/zeek/Obj.h:166
166 if ( ++(o->ref_cnt) <= 1 )
[Current thread is 1 (LWP 103142)]
(gdb) bt
#0 zeek::Ref (o=0x0) at /usr/local/src/zeek-6.2.0/src/include/zeek/Obj.h:166
#1 zeek::Val::Ref (this=0x0) at /usr/local/src/zeek-6.2.0/src/include/zeek/Val.h:113
#2 zeek::input::Manager::EndCurrentSend (this=0x8056b8240, reader=<optimized out>) at /usr/local/src/zeek-6.2.0/src/input/Manager.cc:1269
#3 0x0000000000cf4467 in zeek::input::EndCurrentSendMessage::Process (this=<optimized out>) at /usr/local/src/zeek-6.2.0/src/input/ReaderBackend.cc:90
#4 0x0000000001049c49 in zeek::threading::MsgThread::Process (this=0x807017a00) at /usr/local/src/zeek-6.2.0/src/threading/MsgThread.cc:427
#5 0x0000000000fbffb6 in zeek::run_state::detail::run_loop () at /usr/local/src/zeek-6.2.0/src/RunState.cc:289
#6 0x000000000087b5a8 in main (argc=<optimized out>, argv=<optimized out>) at /usr/local/src/zeek-6.2.0/src/main.cc:93
(gdb)
for reference the coredump is : @adhoc ~/spool/tmp/post-terminate-worker-2024-06-28-12-04-19-5665-crash
Here is code which can reproduce the crash - Make sure you run in cluster format. ( I have tried to oversimplify the code so as to distill down as much as while keeping the crash in there. So please don't mind the deviation from good coding conventions)
module ASH;
#redef exit_only_after_terminate = T ;
export {
redef enum Notice::Type += {
WhitelistRemoved,
};
global whitelist_ip_file: string = "/tmp/ip-whitelist.scan.2" &redef;
type wl_ip_Idx: record {
ip: addr;
};
type wl_ip_Val: record {
ip: addr;
comment: string &optional;
};
global whitelist_ip_table: table[addr] of wl_ip_Val = table() &redef;
global ASH::m_w_remove_ip: event(ip: addr, comment: string);
}
event read_whitelist_ip(description: Input::TableDescription, tpe: Input::Event,
left: wl_ip_Idx, right: wl_ip_Val)
{
local _msg = "";
local ip = right$ip;
local comment = right?$comment ? right$comment : "";
if ( tpe == Input::EVENT_REMOVED ) {
_msg = fmt("%s: %s", ip, comment);
NOTICE([$note=WhitelistRemoved, $src=right$ip, $msg=_msg]);
@if ( Cluster::is_enabled() )
Broker::publish(Cluster::worker_topic, ASH::m_w_remove_ip, ip, comment);
@endif
}
}
event ASH::m_w_remove_ip(ip: addr, comment: string)
{
delete whitelist_ip_table[ip]; # <---------- crash cause
}
event zeek_init()
{
Input::add_table([
$source=whitelist_ip_file,
$name="whitelist_ip",
$idx=wl_ip_Idx,
$val=wl_ip_Val,
$destination=whitelist_ip_table,
$mode=Input::REREAD,
$ev=read_whitelist_ip]);
}
So one would expect this kind of code construct to work even with clusterization and with input-framework ( below works but one above sample crashes if IP is deleted )
It looks like
input-frameworkdoes not like when a value in a table is deleted twice, albeit accidentally.for reference the coredump is :
@adhoc ~/spool/tmp/post-terminate-worker-2024-06-28-12-04-19-5665-crashHere is code which can reproduce the crash - Make sure you run in cluster format. ( I have tried to oversimplify the code so as to distill down as much as while keeping the crash in there. So please don't mind the deviation from good coding conventions)
here is sample
/tmp/ip-whitelist.scan.2Side note:
So one would expect this kind of code construct to work even with clusterization and with input-framework ( below works but one above sample crashes if IP is deleted )
Let me know if any questions or need access to coredump or any further info from backtraces or have issue replicating this!
The text was updated successfully, but these errors were encountered: