Project

General

Profile

Actions

Bug #112

closed

Processing the attached pcap causes deadlock inside of DCERPCParser.

Added by Will Metcalf about 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Kirby I have sent you pcap offline here is the bt from gdb.

sh -c ulimit -c unlimited; src/suricata -c suricata.yaml -r ./dcerpcdeadlock.pcap -l ./

coz@coz-desktop:~$ gdb attach 7473
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
attach: No such file or directory.
Attaching to process 7473
Reading symbols from /home/coz/downloads/suricatafuzz4/src/.libs/lt-suricata...done.
Reading symbols from /home/coz/downloads/suricatafuzz4/libhtp/htp/.libs/libhtp-0.2.so.1...done.
Loaded symbols for /home/coz/downloads/suricatafuzz4/libhtp/htp/.libs/libhtp-0.2.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
[Thread debugging using libthread_db enabled]
[New Thread 0x7f198d7fa910 (LWP 7502)]
[New Thread 0x7f198dffb910 (LWP 7501)]
[New Thread 0x7f198e7fc910 (LWP 7500)]
[New Thread 0x7f198effd910 (LWP 7499)]
[New Thread 0x7f198f7fe910 (LWP 7498)]
[New Thread 0x7f198ffff910 (LWP 7497)]
[New Thread 0x7f1994a55910 (LWP 7496)]
[New Thread 0x7f1995256910 (LWP 7495)]
[New Thread 0x7f1995a57910 (LWP 7494)]
[New Thread 0x7f1996258910 (LWP 7493)]
[New Thread 0x7f1996a59910 (LWP 7492)]
[New Thread 0x7f199725a910 (LWP 7491)]
[New Thread 0x7f1997a5b910 (LWP 7490)]
[New Thread 0x7f199825d910 (LWP 7489)]
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
0x00007f199901af51 in nanosleep () from /lib/libc.so.6
(gdb) bt full
#0 0x00007f199901af51 in nanosleep () from /lib/libc.so.6
No symbol table info available.
#1 0x00007f199904fbb4 in usleep (useconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/usleep.c:33
ts = {tv_sec = 0, tv_nsec = 100000}
#2 0x000000000040630d in main (argc=7, argv=0x7fff3c075848) at suricata.c:929
done = 0 '\000'
end_time = {tv_sec = 140734200501744, tv_usec = 7286320}
opt = -1
pcap_file = 0x7fff3c077608 "./dcerpcdeadlock.pcap"
pcap_dev = 0x0
pfring_dev = 0x0
sig_file = 0x0
nfq_id = 0x0
conf_filename = 0x7fff3c0775f7 "suricata.yaml"
dump_config = 0
list_unittests = 0
daemon = 0
log_dir = 0x1bac1e0 "./"
buf = {st_dev = 2055, st_ino = 10264585, st_nlink = 9, st_mode = 16877, st_uid = 1000, st_gid = 1000, pad0 = 0, st_rdev = 0, st_size = 36864, st_blksize = 4096, st_blocks = 72, st_atim = {tv_sec = 1267544887, tv_nsec = 0},
st_mtim = {tv_sec = 1267544377, tv_nsec = 0}, st_ctim = {tv_sec = 1267544377, tv_nsec = 0}, __unused = {0, 0, 0}}
long_opts = {{name = 0x4ce718 "dump-config", has_arg = 0, flag = 0x7fff3c075324, val = 1}, {name = 0x4ce724 "pfring-int", has_arg = 1, flag = 0x0, val = 0}, {name = 0x4ce72f "pfring-clusterid", has_arg = 1, flag = 0x0,
val = 0}, {name = 0x4ce740 "unittest-filter", has_arg = 1, flag = 0x0, val = 85}, {name = 0x4ce750 "list-unittests", has_arg = 0, flag = 0x7fff3c075320, val = 1}, {name = 0x4ce75f "init-errors-fatal", has_arg = 0,
flag = 0x0, val = 0}, {name = 0x4ce771 "fatal-unittests", has_arg = 0, flag = 0x0, val = 0}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
option_index = 0
short_opts = "c:Dhi:l:q:d:r:us:U:V"
__FUNCTION
= "main"
c = 255 '\377'
i = 50
de_ctx = 0x22acd50
start_time = {tv_sec = 1267544921, tv_usec = 785309}
(gdb) info threads
15 Thread 0x7f199825d910 (LWP 7489) pthread_cond_wait@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
14 Thread 0x7f1997a5b910 (LWP 7490) 0x00000000004c8fa4 in DCERPCParser (dcerpc=0x4db3ad0, input=0x333274c "\005", input_len=0) at app-layer-dcerpc.c:1132
13 Thread 0x7f199725a910 (LWP 7491) pthread_cond_wait
@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
12 Thread 0x7f1996a59910 (LWP 7492) __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
11 Thread 0x7f1996258910 (LWP 7493) pthread_cond_wait@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
10 Thread 0x7f1995a57910 (LWP 7494) pthread_cond_wait
@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
9 Thread 0x7f1995256910 (LWP 7495) pthread_cond_wait@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
8 Thread 0x7f1994a55910 (LWP 7496) pthread_cond_wait
@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
7 Thread 0x7f198ffff910 (LWP 7497) pthread_cond_wait@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
6 Thread 0x7f198f7fe910 (LWP 7498) pthread_cond_wait
@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
5 Thread 0x7f198effd910 (LWP 7499) __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
4 Thread 0x7f198e7fc910 (LWP 7500) 0x00007f199901af51 in nanosleep () from /lib/libc.so.6
3 Thread 0x7f198dffb910 (LWP 7501) pthread_cond_timedwait@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:220
2 Thread 0x7f198d7fa910 (LWP 7502) pthread_cond_timedwait
@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:220
  • 1 Thread 0x7f199a3b16f0 (LWP 7473) 0x00007f199901af51 in nanosleep () from /lib/libc.so.6
    (gdb) thread 14
    [Switching to thread 14 (Thread 0x7f1997a5b910 (LWP 7490))]#0 0x00000000004c8fa4 in DCERPCParser (dcerpc=0x4db3ad0, input=0x333274c "\005", input_len=0) at app-layer-dcerpc.c:1132
    1132 && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length) {
    (gdb) bt full
    #0 0x00000000004c8fa4 in DCERPCParser (dcerpc=0x4db3ad0, input=0x333274c "\005", input_len=0) at app-layer-dcerpc.c:1132
    retval = 0
    parsed = 35
    hdrretval = 16
    #1 0x00000000004c9257 in DCERPCParse (f=0x2089f50, dcerpc_state=0x4db3ad0, pstate=0x4db3a90, input=0x333274c "\005", input_len=35, output=0x7f1997a5aa40) at app-layer-dcerpc.c:1228
    retval = 0
    sstate = 0x4db3ad0
    #2 0x00000000004beedd in AppLayerDoParse (f=0x2089f50, app_layer_state=0x4db3ad0, parser_state=0x4db3a90, input=0x333274c "\005", input_len=35, parser_idx=12, proto=12) at app-layer-parser.c:634
    retval = 0
    result = {head = 0x0, tail = 0x0, cnt = 0}
    r = 1
    PRETTY_FUNCTION = "AppLayerDoParse"
    e = 0x0
    #3 0x00000000004bf463 in AppLayerParse (f=0x2089f50, proto=12 '\f', flags=9 '\t', input=0x333274c "\005", input_len=35) at app-layer-parser.c:794
    parser_idx = 12
    p = 0x71a300
    ssn = 0x32e65c0
    parser_state_store = 0x4db3a90
    parser_state = 0x4db3a90
    app_layer_state = 0x4db3ad0
    r = 0
    FUNCTION = "AppLayerParse"
    #4 0x00000000004bbc46 in AppLayerHandleMsg (dp_ctx=0x22c3168, smsg=0x3332710) at app-layer-detect-proto.c:428
    alproto = 12
    r = 0
    ssn = 0x32e65c0
    #5 0x00000000004b02fa in StreamTcpReassembleProcessAppLayer (ra_ctx=0x22c3160) at stream-tcp-reassemble.c:1560
    smsg = 0x3332710
    r = 0
    #6 0x00000000004ad29c in StreamTcpPacket (tv=0x22c28c0, p=0x1ce9850, stt=0x25fc4d0) at stream-tcp.c:2475
    ssn = 0x32e65c0
    #7 0x00000000004ad336 in StreamTcp (tv=0x22c28c0, p=0x1ce9850, data=0x25fc4d0, pq=0x22c29c0) at stream-tcp.c:2493
    stt = 0x25fc4d0
    ret = TM_ECODE_OK
    #8 0x000000000049cc34 in TmThreadsSlot1 (td=0x22c28c0) at tm-threads.c:329
    tv = 0x22c28c0
    s = 0x22c2990
    p = 0x1ce9850
    run = 1 '\001'
    r = TM_ECODE_OK
    #9 0x00007f199973ba04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
    __res = <value optimized out>
    pd = 0x7f1997a5b910
    unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139747895130384, 1549037723091911761, 140734200500256, 0, 0, 3, -1491704326606633903, -1491681597902633903}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
    prev = 0x0, cleanup = 0x0, canceltype = 0}}}
    not_first_call = <value optimized out>
    robust = <value optimized out>
    #10 0x00007f199905680d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
    No locals.
    #11 0x0000000000000000 in ?? ()
    No symbol table info available.
    (gdb)

Files

Actions #1

Updated by Kirby Kuehl about 14 years ago

Actions #2

Updated by Victor Julien almost 14 years ago

  • Status changed from New to Closed
  • % Done changed from 90 to 100

Applied, although with some changes. The gpl header was wrong, we're gpl2 not gpl2+. Please don't add headers like this.

Actions

Also available in: Atom PDF