Project

General

Profile

Actions

Bug #1159

closed

Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET

Added by Jorgen Bohnsdalen over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If trying to start Suricata in af-packet mode, with an invalid bpf-filter specified, Suricata ends up in a loop, eating memory until it is killed.

Steps to reproduce:

Suricata version: 2.0 (from https://launchpad.net/~oisf/+archive/suricata-stable)
OS: Ubuntu 12.04 (both x64 and 32 was tested)

1) Set bpf_filter to something invalid (such as the string "undef")
2) Run Suricata (ex. $ suricata -i eth0 --af-packet=eth0)
3) Observe memory disappearing.

When we ran this (accidentally) in production Suricata ate all 256GB RAM available on the server.

Output to console:

1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:31 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:31 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
Actions #1

Updated by Victor Julien over 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Target version set to 2.0.1rc1

BPF set failure should probably be fatal, as it will fail in a retry as well I think.

Actions #2

Updated by Eric Leblond over 8 years ago

  • % Done changed from 0 to 80
Actions #3

Updated by Victor Julien over 8 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 80 to 100
Actions

Also available in: Atom PDF