Fix SumStats::observe key normalization logic

The loop over Reducers in SumStats::observe performs a key normalization and inadvertently modifies the key used for subsequent iterations. Reported by Jim Mellander.
bro · Aug 13, 2018 · 5821c16 · 5821c16
1 parent 2d47586
commit 5821c16
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-840 | 2018-08-13 17:40:06 -0500
+
+  * Fix SumStats::observe key normalization logic
+    (reported by Jim Mellander and fixed by Jon Siwek, Corelight)
+
 2.5-839 | 2018-08-13 10:51:43 -0500
 
   * Make options redef-able by default. (Johanna Amann, Corelight)

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.5-839
+2.5-840
diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro
@@ -399,16 +399,15 @@ function create(ss: SumStat)
 	schedule ss$epoch { SumStats::finish_epoch(ss) };
 	}
 
-function observe(id: string, key: Key, obs: Observation)
+function observe(id: string, orig_key: Key, obs: Observation)
 	{
 	if ( id !in reducer_store )
 		return;
 
 	# Try to add the data to all of the defined reducers.
 	for ( r in reducer_store[id] )
 		{
-		if ( r?$normalize_key )
-			key = r$normalize_key(copy(key));
+		local key = r?$normalize_key ? r$normalize_key(copy(orig_key)) : orig_key;
 
 		# If this reducer has a predicate, run the predicate
 		# and skip this key if the predicate return false.