From a6ea82edf8470e64facbdffc6846d02de87a4187 Mon Sep 17 00:00:00 2001
From: Ofek Shaked <32914127+oshaked1@users.noreply.github.com>
Date: Sun, 26 Jan 2025 14:47:31 +0200
Subject: [PATCH] Fix incorrect handling of event parameters (#4548)

If an event that uses parameters is enabled but not present in all policies, a nil access occurs and tracee panics.
This fix makes sure the event is present in each policy before accessing its parameters.
---
 pkg/ebpf/event_parameters.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkg/ebpf/event_parameters.go b/pkg/ebpf/event_parameters.go
index 2510097fa71e..0784bc80f2ec 100644
--- a/pkg/ebpf/event_parameters.go
+++ b/pkg/ebpf/event_parameters.go
@@ -40,11 +40,13 @@ func (t *Tracee) handleEventParameters() error {
 		eventParams := make([]map[string]filters.Filter[*filters.StringFilter], 0)
 		for iterator := t.policyManager.CreateAllIterator(); iterator.HasNext(); {
 			policy := iterator.Next()
-			policyParams := policy.Rules[eventID].DataFilter.GetFieldFilters()
-			if len(policyParams) == 0 {
-				continue
+			if rule, ok := policy.Rules[eventID]; ok {
+				policyParams := rule.DataFilter.GetFieldFilters()
+				if len(policyParams) == 0 {
+					continue
+				}
+				eventParams = append(eventParams, policyParams)
 			}
-			eventParams = append(eventParams, policyParams)
 		}
 		if len(eventParams) == 0 {
 			// No parameters for this event