Project

General

Profile

Actions

Bug #1159

closed

Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET

Added by Jorgen Bohnsdalen almost 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If trying to start Suricata in af-packet mode, with an invalid bpf-filter specified, Suricata ends up in a loop, eating memory until it is killed.

Steps to reproduce:

Suricata version: 2.0 (from https://launchpad.net/~oisf/+archive/suricata-stable)
OS: Ubuntu 12.04 (both x64 and 32 was tested)

1) Set bpf_filter to something invalid (such as the string "undef")
2) Run Suricata (ex. $ suricata -i eth0 --af-packet=eth0)
3) Observe memory disappearing.

When we ran this (accidentally) in production Suricata ate all 256GB RAM available on the server.

Output to console:

1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:26 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:27 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:28 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:31 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:31 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
1/4/2014 -- 13:21:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
1/4/2014 -- 13:21:32 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "undef" failed.
Actions

Also available in: Atom PDF