Project

General

Profile

Actions

Bug #1279

closed

BUG: NULL pointer dereference when suricata was debug mode.

Added by jeongun baek over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When the Suricata is operating as debug mode, there is null pointer reference bug at detect-tls.c:664.

This is call stack when the bug was occured.

#0  0x000000392e6480ac in vfprintf () from /lib64/libc.so.6
#1  0x000000392e66f9d2 in vsnprintf () from /lib64/libc.so.6
#2  0x000000392e64f4a3 in snprintf () from /lib64/libc.so.6
#3  0x000000000050a9c1 in DetectTlsFingerprintParse (str=<value optimized out>) at detect-tls.c:664
#4  0x000000000050afab in DetectTlsFingerprintSetup (de_ctx=<value optimized out>, s=0x13fa99300, str=<value optimized out>) at detect-tls.c:741
#5  0x00000000004f3e9a in SigParseOptions (de_ctx=0x13e41a6a0, s=0x13fa99300, sigstr=<value optimized out>, addrs_direction=250 '\372') at detect-parse.c:556
#6  SigParse (de_ctx=0x13e41a6a0, s=0x13fa99300, sigstr=<value optimized out>, addrs_direction=250 '\372') at detect-parse.c:870
#7  0x00000000004f5dd4 in SigInitHelper (de_ctx=0x13e41a6a0,
    sigstr=0x7ffffcdba130 "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)\"; flow:from_server,established; content:\"|55 04 06|\"; conte"..., dir=0 '\000') at detect-parse.c:1355
#8  0x00000000004f6daf in SigInit (de_ctx=0x13e41a6a0,
    sigstr=0x7ffffcdba130 "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)\"; flow:from_server,established; content:\"|55 04 06|\"; conte"...) at detect-parse.c:1578
#9  0x00000000004f7110 in DetectEngineAppendSig (de_ctx=0x13e41a6a0,
    sigstr=0x7ffffcdba130 "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)\"; flow:from_server,established; content:\"|55 04 06|\"; conte"...) at detect-parse.c:1850
#10 0x00000000004896f8 in DetectLoadSigFile (de_ctx=0x13e41a6a0, sig_file=0x13e4ff460 "/usr/local/etc/suricata/rules/suricata.rules", sigs_tot=0x7ffffcdbd1ac) at detect.c:337
#11 0x000000000048a693 in SigLoadSignatures (de_ctx=0x13e41a6a0, sig_file=0x0, sig_file_exclusive=<value optimized out>) at detect.c:403
#12 0x00000000005af6f3 in LoadSignatures (de_ctx=0x13e41a6a0, suri=0x7ffffcdbe250) at suricata.c:1906
#13 0x00000000005b5851 in main (argc=<value optimized out>, argv=<value optimized out>) at suricata.c:2259

The code which cause NULL pointer derefreence BUG is:

tls->subject was not initialized yet... So "tls->subject" is NULL.
SCLogDebug("will look for TLS fingerprint %s", tls->subject);

Actions #1

Updated by Peter Manev over 9 years ago

Which Suricata version is this reproducible on?

Actions #2

Updated by jeongun baek over 9 years ago

Peter Manev wrote:

Which Suricata version is this reproducible on?

Suricata version is "2.1dev (rev 22272f6)"

Actions #3

Updated by Victor Julien over 9 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 2.1beta2
  • % Done changed from 0 to 100

Fixed by https://github.com/inliniac/suricata/commit/8b4615f8e79d2230ffa243ceb1395aae7945bb95 in the master branch. Also addressed in the master-2.0.x branch.

Thanks for your report.

Actions

Also available in: Atom PDF