Project

General

Profile

Actions
Copy link

Bug #1340

closed

null ptr dereference in Suricata v2.1beta2 (output-json.c:347)

Added by Eduardo Arada almost 11 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
2.1beta4
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I've got a segfault today. Here is the build and bt outputs:

This is Suricata version 2.1beta2 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LIBJANSSON
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.7.2, C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.15, linked against LibHTP v0.5.15
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

(gdb) bt full
#0  0x00007ffff737e194 in pthread_mutex_lock () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#1  0x0000000000568761 in OutputJSONBuffer (js=0xec93a0, file_ctx=0x0, buffer=0x30527d50) at output-json.c:347
        js_s = 0x3054a710 "{\"timestamp\":\"2014-12-17T22:27:21.635729\",\"flow_id\":691273264,\"event_type\":\"flow\",\"src_ip\":\"192.168.183.135\",\"src_port\":22,\"dest_ip\":\"192.168.183.1\",\"dest_port\":54987,\"proto\":\"TCP\",\"flow\":{\"pkts_toser"...
#2  0x00000000005599b6 in JsonFlowLogger (tv=0x305279d0, thread_data=0x1f14530, f=0x2933fe30) at output-json-flow.c:327
        jhl = 0x1f14530
        buffer = 0x30527d50
        js = 0xec93a0
#3  0x000000000055119f in OutputFlowLog (tv=0x305279d0, thread_data=0x671a9e0, f=0x2933fe30) at output-flow.c:110
        __PRETTY_FUNCTION__ = "OutputFlowLog" 
        op_thread_data = 0x671a9e0
        logger = 0x178fde0
        store = 0x671bb30
#4  0x0000000000527dcd in FlowRecycler (th_v=0x305279d0, thread_data=0x1f132a0) at flow-manager.c:821
        f = 0x2933fe30
        len = 5
        ts = {tv_sec = 1418851641, tv_usec = 635729}
        cond_time = {tv_sec = 1419244658, tv_nsec = 0}
        flow_update_delay_sec = 1
        flow_update_delay_nsec = 0
        recycled_cnt = 0
        ftd = 0x1f132a0
        __PRETTY_FUNCTION__ = "FlowRecycler" 
        __FUNCTION__ = "FlowRecycler" 
#5  0x00000000005c557c in TmThreadsManagement (td=0x305279d0) at tm-threads.c:954
        tv = 0x305279d0
        s = 0x30527ad0
        r = TM_ECODE_OK
        __PRETTY_FUNCTION__ = "TmThreadsManagement" 
        __FUNCTION__ = "TmThreadsManagement" 
#6  0x00007ffff737bb50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#7  0x00007ffff6c687bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#8  0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)
(gdb) up
#1  0x0000000000568761 in OutputJSONBuffer (js=0xec93a0, file_ctx=0x0, buffer=0x30527d50) at output-json.c:347
347         SCMutexLock(&file_ctx->fp_mutex);
(gdb) p file_ctx
$1 = (LogFileCtx *) 0x0

As you can see before, it is a dereference of file_ctx when is null.

Steps to reproduce:

1 - Starts suricata with unix-socket support and the attached yaml file

/usr/bin/suricata -c /etc/suricata/suricata.yaml --unix-socket --pidfile=/var/run/suricata/suricata.pid

2 - Scan 2 pcap files with suricatasc
root@suricata:~# suricatasc
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, pcap-file, pcap-file-number, pcap-file-list, pcap-current, quit
>>> pcap-file /root/out.pcap /tmp/suricata/
Success:
"Successfully added file to list" 
>>> pcap-file /root/out.pcap /tmp/suricata/
Success:
"Successfully added file to list" 
>>>

3 - Crash

Files

suricata.yaml (49.9 KB) suricata.yaml Eduardo Arada, 12/22/2014 05:24 AM
Actions
Copy link

Also available in: Atom PDF