Project

General

Profile

Actions

Bug #1456

closed

Using nfq_set_mark in rules when running in netmap mode leads to segfault

Added by Thierry MAGNIEN almost 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

While testing master for netmap functionality, I kept some rules with nfq_set_mark keyword. As soon as a packet matches one of these rules, suricata segfaults.

Note that suricata was compiled with both nfq and netmap support.

Regards,
Thierry

Actions #1

Updated by Victor Julien almost 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Target version set to 2.1beta4

It's likely that this will crash IPS with AF_PACKET as well.

Actions #2

Updated by Eric Leblond almost 9 years ago

Bonjour,

After a quick look to the code there is no obvious bug here.

A few questions:
  • Are you using netmap in IPS mode ?
  • Could you report a backtrace to help the debugging (please follow Reporting_Bugs for more info)
Actions #3

Updated by Thierry MAGNIEN almost 9 years ago

Yes, IPS with copy-mode "tap".

I'll compile with debug flags and will provide backtrace.

Thierry

Actions #4

Updated by Thierry MAGNIEN almost 9 years ago

Here you are:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc8665700 (LWP 64976)]
0x000000000059736c in NetmapWritePacket (ntv=0x43c04b1, p=0x43bf6b0) at source-netmap.c:619
619         int dst_ring_id = p->netmap_v.ring_id % ntv->ifdst->rings_cnt;
(gdb) bt
#0  0x000000000059736c in NetmapWritePacket (ntv=0x43c04b1, p=0x43bf6b0) at source-netmap.c:619
#1  0x000000000059753f in NetmapReleasePacket (p=0x43bf6b0) at source-netmap.c:663
#2  0x00000000005ccdad in TmqhOutputPacketpool (t=0x404bac0, p=0x43bf6b0) at tmqh-packetpool.c:454
#3  0x0000000000593ed4 in TmThreadsSlotProcessPkt (tv=0x404bac0, s=0x404bd00, p=0x43bf6b0)
    at tm-threads.h:160
#4  0x000000000059786e in NetmapRingRead (ntv=0x43c04b0, ring_id=6) at source-netmap.c:741
#5  0x00000000005983be in ReceiveNetmapLoop (tv=0x404bac0, data=0x43c04b0, slot=0x404bbc0)
    at source-netmap.c:818
#6  0x00000000005cef94 in TmThreadsSlotPktAcqLoop (td=0x404bac0) at tm-threads.c:338
#7  0x00007ffff6456b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#8  0x00007ffff5d4395d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#9  0x0000000000000000 in ?? ()
(gdb) bt full
#0  0x000000000059736c in NetmapWritePacket (ntv=0x43c04b1, p=0x43bf6b0) at source-netmap.c:619
        dst_ring_id = 0
        txring = 0x43bf6b0
        rxring = 0x445b160
        rs = 0x404c240
        ts = 0x0
        tmp_idx = 32767
#1  0x000000000059753f in NetmapReleasePacket (p=0x43bf6b0) at source-netmap.c:663
        ntv = 0x43c04b1
#2  0x00000000005ccdad in TmqhOutputPacketpool (t=0x404bac0, p=0x43bf6b0) at tmqh-packetpool.c:454
        proot = 0
#3  0x0000000000593ed4 in TmThreadsSlotProcessPkt (tv=0x404bac0, s=0x404bd00, p=0x43bf6b0)
    at tm-threads.h:160
        slot = 0x5d80045b271
        r = TM_ECODE_OK
#4  0x000000000059786e in NetmapRingRead (ntv=0x43c04b0, ring_id=6) at source-netmap.c:741
        slot = 0x7fffdf62c100
        slot_data = 0x7fffe1aae800 "" 
        p = 0x43bf6b0
        ring = 0x7fffdf62c000
        avail = 14
        cur = 0
#5  0x00000000005983be in ReceiveNetmapLoop (tv=0x404bac0, data=0x43c04b0, slot=0x404bbc0)
    at source-netmap.c:818
        src_ring_id = 6
        i = 0
        r = 1
        s = 0x404bbc0
        ntv = 0x43c04b0
        fds = 0x6c5fcc0
        rings_count = 1
        __FUNCTION__ = "ReceiveNetmapLoop" 
#6  0x00000000005cef94 in TmThreadsSlotPktAcqLoop (td=0x404bac0) at tm-threads.c:338
        tv = 0x404bac0
        s = 0x404bbc0
        run = 1 '\001'
        r = TM_ECODE_OK
        slot = 0x0
        __FUNCTION__ = "TmThreadsSlotPktAcqLoop" 
        __PRETTY_FUNCTION__ = "TmThreadsSlotPktAcqLoop" 
#7  0x00007ffff6456b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#8  0x00007ffff5d4395d in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#9  0x0000000000000000 in ?? ()
No symbol table info available.

Actions #5

Updated by Victor Julien almost 9 years ago

  • Target version changed from 2.1beta4 to 3.0RC1
Actions #6

Updated by Victor Julien over 8 years ago

  • Target version changed from 3.0RC1 to TBD
Actions #7

Updated by Andreas Herz almost 7 years ago

Could you test if this is still an issue with most recent versions of Suricata?

Actions #8

Updated by Victor Julien over 6 years ago

  • Status changed from Assigned to Closed
  • Assignee deleted (Eric Leblond)
  • Target version deleted (TBD)

Time out.

Actions

Also available in: Atom PDF