From acf5c4ce5f41a882f05dd5eb327ea94ba2679e86 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Tue, 25 Oct 2022 10:02:22 -0700
Subject: [PATCH] fix(engine): save syscall source only when processing events

The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 userspace/engine/falco_engine.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
index 9f28c80e..af62371d 100644
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -346,6 +346,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	if(source_idx == m_syscall_source_idx)
 	{
+		if(m_syscall_source == NULL)
+		{
+			m_syscall_source = find_source(m_syscall_source_idx);
+		}
+
 		source = m_syscall_source;
 	}
 	else
@@ -387,7 +392,6 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
-		m_syscall_source = find_source(m_syscall_source_idx);
 	}
 
 	return idx;