Project

General

Profile

Actions

Bug #1550

closed

Segmentation Fault at detect-engine-content-inspection.c:438

Added by Alessandro Guido over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Current master segfaults at detect-engine-content-inspection.c:438

DCERPCState *dcerpc_state = (DCERPCState *)data;
==> flags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ?
DETECT_BYTEJUMP_LITTLE: 0);

Backtrace follows:

#0 0x000000000046d35f in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7dca0, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:438
#1 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7db90, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#2 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7d8e0, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#3 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7d630, f=f@entry=0x7ff619e586e0,
buffer=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#4 0x000000000047ba66 in DetectEngineInspectStreamPayload (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, f=f@entry=0x7ff619e586e0, payload=<optimized out>,
payload_len=<optimized out>) at detect-engine-payload.c:114
#5 0x000000000044e984 in SigMatchSignatures (th_v=th_v@entry=0x20ac07d0, de_ctx=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, p=p@entry=0x7ff63dcff5e0) at detect.c:1654
#6 0x000000000044f0d0 in Detect (tv=0x20ac07d0, p=0x7ff63dcff5e0, data=<optimized out>, pq=<optimized out>,
postpq=<optimized out>) at detect.c:2024
#7 0x00000000005309b6 in TmThreadsSlotVarRun (tv=tv@entry=0x20ac07d0, p=p@entry=0x7ff63dcff5e0,
slot=slot@entry=0x20ac0a20) at tm-threads.c:132
#8 0x000000000050a555 in TmThreadsSlotProcessPkt (p=0x7ff63dcff5e0, s=0x20ac0a20, tv=0x20ac07d0) at tm-threads.h:147
#9 AFPReadFromRing (ptv=ptv@entry=0x7ff653fffe90) at source-af-packet.c:874
#10 0x000000000050cd83 in ReceiveAFPLoop (tv=0x20ac07d0, data=0x7ff653fffe90, slot=<optimized out>)
at source-af-packet.c:1214


Files

0001-Segfault-fix.patch (944 Bytes) 0001-Segfault-fix.patch check data != NULL Alessandro Guido, 09/16/2015 10:54 AM
evil.pcap (278 Bytes) evil.pcap Alessandro Guido, 09/17/2015 03:55 AM
evil.rules (488 Bytes) evil.rules Alessandro Guido, 09/17/2015 03:55 AM
evil.yaml (3.81 KB) evil.yaml Alessandro Guido, 09/17/2015 04:00 AM
Actions #1

Updated by Alessandro Guido over 7 years ago

Currently I'm testing a patch that assures `data` being !NULL

Actions #2

Updated by Alessandro Guido over 7 years ago

The attached patch avoids the segfaults

Actions #3

Updated by Alessandro Guido over 7 years ago

Evil packet

Actions #4

Updated by Alessandro Guido over 7 years ago

Evil rule

Actions #5

Updated by Alessandro Guido over 7 years ago

Evil config

Actions #6

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 2.0.9
  • Private changed from No to Yes
Actions #7

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
  • Private changed from Yes to No

Fix applied and extended a bit, thanks Guido. We'll look into better supporting this detection logic later.

Actions #8

Updated by Andreas Herz almost 7 years ago

The user "iro" in IRC said that the fix was applied in 2.x but not in 3.0, and i couldn't find it there either.

Actions #9

Updated by Alessandro Guido almost 7 years ago

Andreas Herz wrote:

The user "iro" in IRC said that the fix was applied in 2.x but not in 3.0, and i couldn't find it there either.

Yep, that would be me :)

Committed patch was: https://github.com/inliniac/suricata/commit/d7b0ec8c91600811b246f79b5ffbcb498aef2c7a

Actions #10

Updated by Victor Julien almost 7 years ago

Tracking to for 3.x in #1698

Actions

Also available in: Atom PDF