Actions
Bug #1340
closednull ptr dereference in Suricata v2.1beta2 (output-json.c:347)
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,
I've got a segfault today. Here is the build and bt outputs:
This is Suricata version 2.1beta2 RELEASE Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LIBJANSSON SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.7.2, C version 199901 L1 cache line size (CLS)=64 compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: no libnspr support: no libjansson support: yes Prelude support: no PCRE jit: yes LUA support: no libluajit: no libgeoip: no Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Coccinelle / spatch: no Generic build parameters: Installation prefix (--prefix): /usr Configuration directory (--sysconfdir): /etc/suricata/ Log directory (--localstatedir) : /var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no
(gdb) bt full
#0 0x00007ffff737e194 in pthread_mutex_lock () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#1 0x0000000000568761 in OutputJSONBuffer (js=0xec93a0, file_ctx=0x0, buffer=0x30527d50) at output-json.c:347
js_s = 0x3054a710 "{\"timestamp\":\"2014-12-17T22:27:21.635729\",\"flow_id\":691273264,\"event_type\":\"flow\",\"src_ip\":\"192.168.183.135\",\"src_port\":22,\"dest_ip\":\"192.168.183.1\",\"dest_port\":54987,\"proto\":\"TCP\",\"flow\":{\"pkts_toser"...
#2 0x00000000005599b6 in JsonFlowLogger (tv=0x305279d0, thread_data=0x1f14530, f=0x2933fe30) at output-json-flow.c:327
jhl = 0x1f14530
buffer = 0x30527d50
js = 0xec93a0
#3 0x000000000055119f in OutputFlowLog (tv=0x305279d0, thread_data=0x671a9e0, f=0x2933fe30) at output-flow.c:110
__PRETTY_FUNCTION__ = "OutputFlowLog"
op_thread_data = 0x671a9e0
logger = 0x178fde0
store = 0x671bb30
#4 0x0000000000527dcd in FlowRecycler (th_v=0x305279d0, thread_data=0x1f132a0) at flow-manager.c:821
f = 0x2933fe30
len = 5
ts = {tv_sec = 1418851641, tv_usec = 635729}
cond_time = {tv_sec = 1419244658, tv_nsec = 0}
flow_update_delay_sec = 1
flow_update_delay_nsec = 0
recycled_cnt = 0
ftd = 0x1f132a0
__PRETTY_FUNCTION__ = "FlowRecycler"
__FUNCTION__ = "FlowRecycler"
#5 0x00000000005c557c in TmThreadsManagement (td=0x305279d0) at tm-threads.c:954
tv = 0x305279d0
s = 0x30527ad0
r = TM_ECODE_OK
__PRETTY_FUNCTION__ = "TmThreadsManagement"
__FUNCTION__ = "TmThreadsManagement"
#6 0x00007ffff737bb50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#7 0x00007ffff6c687bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#8 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)
(gdb) up
#1 0x0000000000568761 in OutputJSONBuffer (js=0xec93a0, file_ctx=0x0, buffer=0x30527d50) at output-json.c:347
347 SCMutexLock(&file_ctx->fp_mutex);
(gdb) p file_ctx
$1 = (LogFileCtx *) 0x0
As you can see before, it is a dereference of file_ctx when is null.
Steps to reproduce:
1 - Starts suricata with unix-socket support and the attached yaml file
/usr/bin/suricata -c /etc/suricata/suricata.yaml --unix-socket --pidfile=/var/run/suricata/suricata.pid
2 - Scan 2 pcap files with suricatasc
root@suricata:~# suricatasc Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, pcap-file, pcap-file-number, pcap-file-list, pcap-current, quit >>> pcap-file /root/out.pcap /tmp/suricata/ Success: "Successfully added file to list" >>> pcap-file /root/out.pcap /tmp/suricata/ Success: "Successfully added file to list" >>>
3 - Crash
Files
Updated by Victor Julien over 9 years ago
Could you try the git master? I can't reproduce the issue, but it's possible we already fixed it.
Updated by Eduardo Arada over 9 years ago
Just tested with This is Suricata version 2.1dev (rev bcfd614)
But I've got the same behaviour. What do you need for reproduce it?
Updated by Victor Julien almost 9 years ago
Can you retry with the current git master? I made some changes to the unix socket reload logic.
Updated by Eduardo Arada almost 9 years ago
I just retry with the last git master - 2.1dev (rev 94321b8). It works well until I turn eve-log's bi-directional flows on. then It crashes again at the following line, because jhl->flowlog_ctx is null.
output-json-flow.c:327 OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, buffer);
Updated by Victor Julien almost 9 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 2.1beta4
Looks like I found a way to reproduce this.
Updated by Victor Julien almost 9 years ago
Can you try this pull request? https://github.com/inliniac/suricata/pull/1456
Updated by Eduardo Arada almost 9 years ago
Hey, It fixes the problem. It works well at my lab, I made some pcap scans and seems it don't crashes again.
Thank you Victor.
Updated by Victor Julien almost 9 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Thanks for testing Eduardo!
Actions