Bug #1217: Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1217

closed

Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket

Added by Luigi Sandon almost 10 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Eric Leblond

Target version:

2.0.2

Affected Versions:

Effort:

Difficulty:

Label:

Description

When using --unix-socket to send cap files to be analized to Suricata running as a daemon, we see Suricata may segfault in unix-manager.c, at line 529 (happens with Suricata 1.4.5, 1.4.7, 2.0.1, on Debian 7 64 bit):

Program terminated with signal 11, Segmentation fault

#0  0x000000000069ee43 in UnixMain (this=0x9eb400) at unix-manager.c:529
        tv = {tv_sec = 0, tv_usec = 99923}
        ret = 1
        select_set = {fds_bits = {256, 0 <repeats 15 times>}}
        uclient = 0x202d203e
        __FUNCTION__ = "UnixMain" 
#1  0x00000000006a2942 in UnixManagerThread (td=0x3ec90c0) at unix-manager.c:868
        th_v = 0x3ec90c0
        ret = 1
        __FUNCTION__ = "UnixManagerThread" 
#2  0x00007ff7e629eb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
        __res = <optimized out>
        pd = 0x7ff7e566b700
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140702682363648, 4220606397937000110, 140733771700112, 
140702682364352, 140702708301888, 3, -4216123630546411858, -4216117486398300498}, mask_was_saved = 0}}, 
priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread" 
#3  0x00007ff7e5b8c0ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#4  0x0000000000000000 in ?? ()

It looks these lines are what triggers the segfault:

TAILQ_FOREACH(uclient, &this->clients, next) {
        if (FD_ISSET(uclient->fd, &select_set)) {     // <<<< error here
            UnixCommandRun(this, uclient);
        }

I see somewhere else TAILQ_FOREACH_SAFE is used, and actually UnixCommandRun() may end up calling TAILQ_REMOVE in UnixCommandClose(), I wonder if sometimes TAILQ_FOREACH could end returning and invalid item and thereby triggering the segfault. The segfault happens often enough, and dumps always point to the same source, but it's not easy to reproduce, we may have to run Suricata for a while while sending pcap files to it.