Project

General

Profile

Actions

Bug #1217

closed

Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket

Added by Luigi Sandon over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using --unix-socket to send cap files to be analized to Suricata running as a daemon, we see Suricata may segfault in unix-manager.c, at line 529 (happens with Suricata 1.4.5, 1.4.7, 2.0.1, on Debian 7 64 bit):

Program terminated with signal 11, Segmentation fault

#0  0x000000000069ee43 in UnixMain (this=0x9eb400) at unix-manager.c:529
        tv = {tv_sec = 0, tv_usec = 99923}
        ret = 1
        select_set = {fds_bits = {256, 0 <repeats 15 times>}}
        uclient = 0x202d203e
        __FUNCTION__ = "UnixMain" 
#1  0x00000000006a2942 in UnixManagerThread (td=0x3ec90c0) at unix-manager.c:868
        th_v = 0x3ec90c0
        ret = 1
        __FUNCTION__ = "UnixManagerThread" 
#2  0x00007ff7e629eb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
        __res = <optimized out>
        pd = 0x7ff7e566b700
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140702682363648, 4220606397937000110, 140733771700112, 
140702682364352, 140702708301888, 3, -4216123630546411858, -4216117486398300498}, mask_was_saved = 0}}, 
priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread" 
#3  0x00007ff7e5b8c0ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#4  0x0000000000000000 in ?? ()

It looks these lines are what triggers the segfault:

TAILQ_FOREACH(uclient, &this->clients, next) {
        if (FD_ISSET(uclient->fd, &select_set)) {     // <<<< error here
            UnixCommandRun(this, uclient);
        }

I see somewhere else TAILQ_FOREACH_SAFE is used, and actually UnixCommandRun() may end up calling TAILQ_REMOVE in UnixCommandClose(), I wonder if sometimes TAILQ_FOREACH could end returning and invalid item and thereby triggering the segfault. The segfault happens often enough, and dumps always point to the same source, but it's not easy to reproduce, we may have to run Suricata for a while while sending pcap files to it.

Actions #1

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Target version set to 2.0.2
Actions #2

Updated by Victor Julien over 7 years ago

  • Description updated (diff)
Actions #3

Updated by Eric Leblond over 7 years ago

  • % Done changed from 0 to 80
Actions #4

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 80 to 100
Actions

Also available in: Atom PDF