Bug #1550
closedSegmentation Fault at detect-engine-content-inspection.c:438
Description
Current master segfaults at detect-engine-content-inspection.c:438
DCERPCState *dcerpc_state = (DCERPCState *)data;
==> flags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ?
DETECT_BYTEJUMP_LITTLE: 0);
Backtrace follows:
#0 0x000000000046d35f in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7dca0, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:438
#1 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7db90, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#2 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7d8e0, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#3 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7d630, f=f@entry=0x7ff619e586e0,
buffer=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#4 0x000000000047ba66 in DetectEngineInspectStreamPayload (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, f=f@entry=0x7ff619e586e0, payload=<optimized out>,
payload_len=<optimized out>) at detect-engine-payload.c:114
#5 0x000000000044e984 in SigMatchSignatures (th_v=th_v@entry=0x20ac07d0, de_ctx=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, p=p@entry=0x7ff63dcff5e0) at detect.c:1654
#6 0x000000000044f0d0 in Detect (tv=0x20ac07d0, p=0x7ff63dcff5e0, data=<optimized out>, pq=<optimized out>,
postpq=<optimized out>) at detect.c:2024
#7 0x00000000005309b6 in TmThreadsSlotVarRun (tv=tv@entry=0x20ac07d0, p=p@entry=0x7ff63dcff5e0,
slot=slot@entry=0x20ac0a20) at tm-threads.c:132
#8 0x000000000050a555 in TmThreadsSlotProcessPkt (p=0x7ff63dcff5e0, s=0x20ac0a20, tv=0x20ac07d0) at tm-threads.h:147
#9 AFPReadFromRing (ptv=ptv@entry=0x7ff653fffe90) at source-af-packet.c:874
#10 0x000000000050cd83 in ReceiveAFPLoop (tv=0x20ac07d0, data=0x7ff653fffe90, slot=<optimized out>)
at source-af-packet.c:1214
Files
Updated by Alessandro Guido almost 10 years ago
Currently I'm testing a patch that assures `data` being !NULL
Updated by Alessandro Guido almost 10 years ago
- File 0001-Segfault-fix.patch 0001-Segfault-fix.patch added
The attached patch avoids the segfaults
Updated by Alessandro Guido almost 10 years ago
Evil packet
Updated by Alessandro Guido almost 10 years ago
Evil config
Updated by Victor Julien almost 10 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 2.0.9
- Private changed from No to Yes
Updated by Victor Julien over 9 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
- Private changed from Yes to No
Fix applied and extended a bit, thanks Guido. We'll look into better supporting this detection logic later.
Updated by Andreas Herz over 9 years ago
The user "iro" in IRC said that the fix was applied in 2.x but not in 3.0, and i couldn't find it there either.
Updated by Alessandro Guido over 9 years ago
Andreas Herz wrote:
The user "iro" in IRC said that the fix was applied in 2.x but not in 3.0, and i couldn't find it there either.
Yep, that would be me :)
Committed patch was: https://github.com/inliniac/suricata/commit/d7b0ec8c91600811b246f79b5ffbcb498aef2c7a