Bug #1319: segfault in Suricata v2.1beta2 (flow-hash.c:244) - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1319

closed

segfault in Suricata v2.1beta2 (flow-hash.c:244)

Added by Terry Lim about 10 years ago. Updated almost 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
I have a segfault on today, please look gdb bt full

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/suricata -c /etc/suricata/suricata.yaml --pfring-int=eth2 --pfring-cluster'.
Program terminated with signal 11, Segmentation fault.
#0  FlowGetKey (p=0xb1bd7c28) at flow-hash.c:244
244                 uint32_t psrc = IPV4_GET_RAW_IPSRC_U32(ICMPV4_GET_EMB_IPV4(p));
(gdb) bt full
#0  FlowGetKey (p=0xb1bd7c28) at flow-hash.c:244
        psrc = <optimized out>
        pdst = <optimized out>
        fhk = {{{src = 2981101256, dst = 134633352, sp = 13436, dp = 2369, proto = 0, recur = 0, vlan_id = {36852, 46936}}, u32 = {2981101256, 134633352,
              155268220, 0, 3076034548}}}
        hash = <optimized out>
        key = <optimized out>
#1  FlowGetFlowFromHash (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28) at flow-hash.c:506
        f = 0x0
        key = 516
        fb = <optimized out>
#2  0x08126cd1 in FlowHandlePacket (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28) at flow.c:243
        f = <optimized out>
#3  0x08093cd8 in DecodeICMPV4 (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28, pkt=0xb1bd810a "\003\004\226", <incomplete sequence \361>, len=56, pq=0x2415d820)
    at decode-icmpv4.c:195
        icmp4eh = 0xb1bd810a
#4  0x08094a3d in DecodeIPV4 (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28, pkt=0xb1bd80f6 "E\001", len=76, pq=0x2415d820) at decode-ipv4.c:569
No locals.
#5  0x0809324f in DecodeEthernet (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28, pkt=0xb1bd80e8 "", len=90, pq=0x2415d820) at decode-ethernet.c:60
No locals.
#6  0x081837bc in DecodePfring (pq=0x2415d820, data=0xb1affe78, p=0xb1bd7c28, tv=0x23d23a78, postpq=<optimized out>) at source-pfring.c:626
No locals.
#7  DecodePfring (tv=0x23d23a78, p=0xb1bd7c28, data=0xb1affe78, pq=0x2415d820, postpq=0x0) at source-pfring.c:598
        dtv = 0xb1affe78
#8  0x0819abdb in TmThreadsSlotVarRun (tv=0x23d23a78, p=0xb1bd7c28, slot=0x2415d800) at tm-threads.c:575
        SlotFunc = 0x81836d0 <DecodePfring>
        r = <optimized out>
        s = 0x2415d800
        extra_p = <optimized out>
#9  0x08183c15 in TmThreadsSlotProcessPkt (p=0xb1bd7c28, s=0x2415d800, tv=0x23d23a78) at tm-threads.h:148
        r = TM_ECODE_OK
#10 ReceivePfringLoop (tv=0x23d23a78, data=0xb1cffd68, slot=0x2415ff98) at source-pfring.c:349
        pkt_buffer = 0xb1bd80e8 "" 
        buffer_size = <optimized out>
        r = <optimized out>
        ptv = 0xb1cffd68
        p = 0xb1bd7c28
        hdr = {ts = {tv_sec = 1416267649, tv_usec = 577232}, caplen = 90, len = 90, extended_hdr = {timestamp_ns = 1416267649577232253, flags = 0,
            rx_direction = 1 '\001', if_index = 4, pkt_hash = 1036900932, tx = {bounce_interface = -1, reserved = 0x0}, parsed_header_len = 0, parsed_pkt = {
              dmac = "\000\022", <incomplete sequence \306>, smac = "\000\"U\212A\177", eth_type = 2048, vlan_id = 0, ip_version = 4 '\004', l3_proto = 1 '\001',
              ip_tos = 1 '\001', ip_src = {v6 = {__in6_u = {__u6_addr8 = "\001$p\317", '\000' <repeats 11 times>, __u6_addr16 = {9217, 53104, 0, 0, 0, 0, 0, 0},
                    __u6_addr32 = {3480232961, 0, 0, 0}}}, v4 = 3480232961}, ip_dst = {v6 = {__in6_u = {__u6_addr8 = "B\266]n", '\000' <repeats 11 times>,
---Type <return> to continue, or q <return> to quit---
                    __u6_addr16 = {46658, 28253, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {1851635266, 0, 0, 0}}}, v4 = 1851635266}, l4_src_port = 0, l4_dst_port = 0,
              tcp = {flags = 0 '\000', seq_num = 0, ack_num = 0}, tunnel = {tunnel_id = 4294967295, tunneled_proto = 0 '\000', tunneled_ip_src = {v6 = {__in6_u = {
                      __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, v4 = 0}, tunneled_ip_dst = {
                  v6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, v4 = 0},
                tunneled_l4_src_port = 0, tunneled_l4_dst_port = 0}, last_matched_plugin_id = 0, last_matched_rule_id = 65535, offset = {eth_offset = -14,
                vlan_offset = 0, l3_offset = 14, l4_offset = 34, payload_offset = 0}}}}
        s = 0x2415ff98
        last_dump = 1416267649
        current_time = {tv_sec = 1416267649, tv_usec = 578053}
        rc = <optimized out>
        __FUNCTION__ = "ReceivePfringLoop" 
#11 0x0819e3ea in TmThreadsSlotPktAcqLoop (td=0x23d23a78) at tm-threads.c:722
        tv = 0x23d23a78
        s = 0x2415ff98
        run = <optimized out>
        r = <optimized out>
        slot = <optimized out>
        __FUNCTION__ = "TmThreadsSlotPktAcqLoop" 
#12 0xb7577d4c in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
No symbol table info available.
#13 0xb72e69de in clone () from /lib/i386-linux-gnu/libc.so.6
No symbol table info available.
(gdb)

Actions

Copy link

Updated by Terry Lim about 10 years ago

Hi,
I have a segfault on today, please look gdb bt full

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/suricata c /etc/suricata/suricata.yaml --pfring-int=eth2 --pfring-cluster'.
Program terminated with signal 11, Segmentation fault.
#0 FlowGetKey (p=0xb1bd7c28) at flow-hash.c:244
244 uint32_t psrc = IPV4_GET_RAW_IPSRC_U32(ICMPV4_GET_EMB_IPV4(p));
(gdb) bt full
#0 FlowGetKey (p=0xb1bd7c28) at flow-hash.c:244
 psrc = <optimized out>
 pdst = <optimized out>
 fhk = {{{src = 2981101256, dst = 134633352, sp = 13436, dp = 2369, proto = 0, recur = 0, vlan_id = {36852, 46936}}, u32 = {2981101256, 134633352,
 155268220, 0, 3076034548}}}
 hash = <optimized out>
 key = <optimized out>
#1 FlowGetFlowFromHash (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28) at flow-hash.c:506
 f = 0x0
 key = 516
 fb = <optimized out>
#2 0x08126cd1 in FlowHandlePacket (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28) at flow.c:243
 f = <optimized out>
#3 0x08093cd8 in DecodeICMPV4 (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28, pkt=0xb1bd810a "\003\004\226", <incomplete sequence \361>, len=56, pq=0x2415d820)
 at decode-icmpv4.c:195
 icmp4eh = 0xb1bd810a
#4 0x08094a3d in DecodeIPV4 (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28, pkt=0xb1bd80f6 "E\001", len=76, pq=0x2415d820) at decode-ipv4.c:569
No locals.
#5 0x0809324f in DecodeEthernet (tv=0x23d23a78, dtv=0xb1affe78, p=0xb1bd7c28, pkt=0xb1bd80e8 "", len=90, pq=0x2415d820) at decode-ethernet.c:60
No locals.
#6 0x081837bc in DecodePfring (pq=0x2415d820, data=0xb1affe78, p=0xb1bd7c28, tv=0x23d23a78, postpq=<optimized out>) at source-pfring.c:626
No locals.
#7 DecodePfring (tv=0x23d23a78, p=0xb1bd7c28, data=0xb1affe78, pq=0x2415d820, postpq=0x0) at source-pfring.c:598
 dtv = 0xb1affe78
#8 0x0819abdb in TmThreadsSlotVarRun (tv=0x23d23a78, p=0xb1bd7c28, slot=0x2415d800) at tm-threads.c:575
 SlotFunc = 0x81836d0 <DecodePfring>
 r = <optimized out>
 s = 0x2415d800
 extra_p = <optimized out>
#9 0x08183c15 in TmThreadsSlotProcessPkt (p=0xb1bd7c28, s=0x2415d800, tv=0x23d23a78) at tm-threads.h:148
 r = TM_ECODE_OK
#10 ReceivePfringLoop (tv=0x23d23a78, data=0xb1cffd68, slot=0x2415ff98) at source-pfring.c:349
 pkt_buffer = 0xb1bd80e8 "" 
 buffer_size = <optimized out>
 r = <optimized out>
 ptv = 0xb1cffd68
 p = 0xb1bd7c28
 hdr = {ts = {tv_sec = 1416267649, tv_usec = 577232}, caplen = 90, len = 90, extended_hdr = {timestamp_ns = 1416267649577232253, flags = 0,
 rx_direction = 1 '\001', if_index = 4, pkt_hash = 1036900932, tx = {bounce_interface = -1, reserved = 0x0}, parsed_header_len = 0, parsed_pkt = {
 dmac = "\000\022", <incomplete sequence \306>, smac = "\000\"U\212A\177", eth_type = 2048, vlan_id = 0, ip_version = 4 '\004', l3_proto = 1 '\001',
 ip_tos = 1 '\001', ip_src = {v6 = {__in6_u = {__u6_addr8 = "\001$p\317", '\000' <repeats 11 times>, u6_addr16 = {9217, 53104, 0, 0, 0, 0, 0, 0},
 _u6_addr32 = {3480232961, 0, 0, 0}}}, v4 = 3480232961}, ip_dst = {v6 = {_in6_u = {__u6_addr8 = "B\266]n", '\000' <repeats 11 times>,
---Type <return> to continue, or q <return> to quit--
 _u6_addr16 = {46658, 28253, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {1851635266, 0, 0, 0}}}, v4 = 1851635266}, l4_src_port = 0, l4_dst_port = 0,
 tcp = {flags = 0 '\000', seq_num = 0, ack_num = 0}, tunnel = {tunnel_id = 4294967295, tunneled_proto = 0 '\000', tunneled_ip_src = {v6 = {_in6_u = {
 _u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, v4 = 0}, tunneled_ip_dst = {
 v6 = {_in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, v4 = 0},
 tunneled_l4_src_port = 0, tunneled_l4_dst_port = 0}, last_matched_plugin_id = 0, last_matched_rule_id = 65535, offset = {eth_offset = -14,
 vlan_offset = 0, l3_offset = 14, l4_offset = 34, payload_offset = 0}}}}
 s = 0x2415ff98
 last_dump = 1416267649
 current_time = {tv_sec = 1416267649, tv_usec = 578053}
 rc = <optimized out>
 __FUNCTION = "ReceivePfringLoop" 
#11 0x0819e3ea in TmThreadsSlotPktAcqLoop (td=0x23d23a78) at tm-threads.c:722
 tv = 0x23d23a78
 s = 0x2415ff98
 run = <optimized out>
 r = <optimized out>
 slot = <optimized out>
FUNCTION = "TmThreadsSlotPktAcqLoop" 
#12 0xb7577d4c in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
No symbol table info available.
#13 0xb72e69de in clone () from /lib/i386-linux-gnu/libc.so.6
No symbol table info available.
(gdb)

Actions

Copy link