Project

General

Profile

Actions

Bug #1340

closed

null ptr dereference in Suricata v2.1beta2 (output-json.c:347)

Added by Eduardo Arada about 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I've got a segfault today. Here is the build and bt outputs:

This is Suricata version 2.1beta2 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LIBJANSSON
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.7.2, C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
(gdb) bt full
#0  0x00007ffff737e194 in pthread_mutex_lock () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#1  0x0000000000568761 in OutputJSONBuffer (js=0xec93a0, file_ctx=0x0, buffer=0x30527d50) at output-json.c:347
        js_s = 0x3054a710 "{\"timestamp\":\"2014-12-17T22:27:21.635729\",\"flow_id\":691273264,\"event_type\":\"flow\",\"src_ip\":\"192.168.183.135\",\"src_port\":22,\"dest_ip\":\"192.168.183.1\",\"dest_port\":54987,\"proto\":\"TCP\",\"flow\":{\"pkts_toser"...
#2  0x00000000005599b6 in JsonFlowLogger (tv=0x305279d0, thread_data=0x1f14530, f=0x2933fe30) at output-json-flow.c:327
        jhl = 0x1f14530
        buffer = 0x30527d50
        js = 0xec93a0
#3  0x000000000055119f in OutputFlowLog (tv=0x305279d0, thread_data=0x671a9e0, f=0x2933fe30) at output-flow.c:110
        __PRETTY_FUNCTION__ = "OutputFlowLog" 
        op_thread_data = 0x671a9e0
        logger = 0x178fde0
        store = 0x671bb30
#4  0x0000000000527dcd in FlowRecycler (th_v=0x305279d0, thread_data=0x1f132a0) at flow-manager.c:821
        f = 0x2933fe30
        len = 5
        ts = {tv_sec = 1418851641, tv_usec = 635729}
        cond_time = {tv_sec = 1419244658, tv_nsec = 0}
        flow_update_delay_sec = 1
        flow_update_delay_nsec = 0
        recycled_cnt = 0
        ftd = 0x1f132a0
        __PRETTY_FUNCTION__ = "FlowRecycler" 
        __FUNCTION__ = "FlowRecycler" 
#5  0x00000000005c557c in TmThreadsManagement (td=0x305279d0) at tm-threads.c:954
        tv = 0x305279d0
        s = 0x30527ad0
        r = TM_ECODE_OK
        __PRETTY_FUNCTION__ = "TmThreadsManagement" 
        __FUNCTION__ = "TmThreadsManagement" 
#6  0x00007ffff737bb50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#7  0x00007ffff6c687bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#8  0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)
(gdb) up
#1  0x0000000000568761 in OutputJSONBuffer (js=0xec93a0, file_ctx=0x0, buffer=0x30527d50) at output-json.c:347
347         SCMutexLock(&file_ctx->fp_mutex);
(gdb) p file_ctx
$1 = (LogFileCtx *) 0x0

As you can see before, it is a dereference of file_ctx when is null.

Steps to reproduce:

1 - Starts suricata with unix-socket support and the attached yaml file

/usr/bin/suricata -c /etc/suricata/suricata.yaml --unix-socket --pidfile=/var/run/suricata/suricata.pid

2 - Scan 2 pcap files with suricatasc
root@suricata:~# suricatasc
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, pcap-file, pcap-file-number, pcap-file-list, pcap-current, quit
>>> pcap-file /root/out.pcap /tmp/suricata/
Success:
"Successfully added file to list" 
>>> pcap-file /root/out.pcap /tmp/suricata/
Success:
"Successfully added file to list" 
>>>

3 - Crash


Files

suricata.yaml (49.9 KB) suricata.yaml Eduardo Arada, 12/22/2014 05:24 AM
Actions #1

Updated by Victor Julien almost 10 years ago

Could you try the git master? I can't reproduce the issue, but it's possible we already fixed it.

Actions #2

Updated by Eduardo Arada almost 10 years ago

Just tested with This is Suricata version 2.1dev (rev bcfd614)

But I've got the same behaviour. What do you need for reproduce it?

Actions #3

Updated by Victor Julien over 9 years ago

Can you retry with the current git master? I made some changes to the unix socket reload logic.

Actions #4

Updated by Eduardo Arada over 9 years ago

I just retry with the last git master - 2.1dev (rev 94321b8). It works well until I turn eve-log's bi-directional flows on. then It crashes again at the following line, because jhl->flowlog_ctx is null.

output-json-flow.c:327         OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, buffer);

Actions #5

Updated by Victor Julien over 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 2.1beta4

Looks like I found a way to reproduce this.

Actions #6

Updated by Victor Julien over 9 years ago

Can you try this pull request? https://github.com/inliniac/suricata/pull/1456

Actions #7

Updated by Eduardo Arada over 9 years ago

Hey, It fixes the problem. It works well at my lab, I made some pcap scans and seems it don't crashes again.

Thank you Victor.

Actions #8

Updated by Victor Julien over 9 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Thanks for testing Eduardo!

Merged: https://github.com/inliniac/suricata/pull/1456

Actions

Also available in: Atom PDF