Actions
Bug #1159
closedPossible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
Affected Versions:
Effort:
Difficulty:
Label:
Description
If trying to start Suricata in af-packet mode, with an invalid bpf-filter specified, Suricata ends up in a loop, eating memory until it is killed.
Steps to reproduce:
Suricata version: 2.0 (from https://launchpad.net/~oisf/+archive/suricata-stable)
OS: Ubuntu 12.04 (both x64 and 32 was tested)
1) Set bpf_filter to something invalid (such as the string "undef")
2) Run Suricata (ex. $ suricata -i eth0 --af-packet=eth0)
3) Observe memory disappearing.
When we ran this (accidentally) in production Suricata ate all 256GB RAM available on the server.
Output to console:
1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:31 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:31 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed. 1/4/2014 -- 13:21:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed. 1/4/2014 -- 13:21:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to 2.0.1rc1
BPF set failure should probably be fatal, as it will fail in a retry as well I think.
Updated by Victor Julien over 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 80 to 100
Actions