Bug #1550
closedSegmentation Fault at detect-engine-content-inspection.c:438
Description
Current master segfaults at detect-engine-content-inspection.c:438
DCERPCState *dcerpc_state = (DCERPCState *)data;
==> flags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ?
DETECT_BYTEJUMP_LITTLE: 0);
Backtrace follows:
#0 0x000000000046d35f in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7dca0, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:438
#1 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7db90, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#2 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7d8e0, f=f@entry=0x7ff619e586e0,
buffer=buffer@entry=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#3 0x000000000046d19e in DetectEngineContentInspection (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, sm=0x10c7d630, f=f@entry=0x7ff619e586e0,
buffer=0x7ff14f303bf8 "", buffer_len=2886, stream_start_offset=0, inspection_mode=1 '\001', data=0x0)
at detect-engine-content-inspection.c:332
#4 0x000000000047ba66 in DetectEngineInspectStreamPayload (de_ctx=de_ctx@entry=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, s=s@entry=0x10c7cb70, f=f@entry=0x7ff619e586e0, payload=<optimized out>,
payload_len=<optimized out>) at detect-engine-payload.c:114
#5 0x000000000044e984 in SigMatchSignatures (th_v=th_v@entry=0x20ac07d0, de_ctx=0x1d5b640,
det_ctx=det_ctx@entry=0x7ff63dd8a4b0, p=p@entry=0x7ff63dcff5e0) at detect.c:1654
#6 0x000000000044f0d0 in Detect (tv=0x20ac07d0, p=0x7ff63dcff5e0, data=<optimized out>, pq=<optimized out>,
postpq=<optimized out>) at detect.c:2024
#7 0x00000000005309b6 in TmThreadsSlotVarRun (tv=tv@entry=0x20ac07d0, p=p@entry=0x7ff63dcff5e0,
slot=slot@entry=0x20ac0a20) at tm-threads.c:132
#8 0x000000000050a555 in TmThreadsSlotProcessPkt (p=0x7ff63dcff5e0, s=0x20ac0a20, tv=0x20ac07d0) at tm-threads.h:147
#9 AFPReadFromRing (ptv=ptv@entry=0x7ff653fffe90) at source-af-packet.c:874
#10 0x000000000050cd83 in ReceiveAFPLoop (tv=0x20ac07d0, data=0x7ff653fffe90, slot=<optimized out>)
at source-af-packet.c:1214
Files
Updated by Alessandro Guido over 9 years ago
Currently I'm testing a patch that assures `data` being !NULL
Updated by Alessandro Guido over 9 years ago
- File 0001-Segfault-fix.patch 0001-Segfault-fix.patch added
The attached patch avoids the segfaults
Updated by Alessandro Guido over 9 years ago
Evil packet
Updated by Alessandro Guido over 9 years ago
Evil config
Updated by Victor Julien over 9 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 2.0.9
- Private changed from No to Yes
Updated by Victor Julien about 9 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
- Private changed from Yes to No
Fix applied and extended a bit, thanks Guido. We'll look into better supporting this detection logic later.
Updated by Andreas Herz almost 9 years ago
The user "iro" in IRC said that the fix was applied in 2.x but not in 3.0, and i couldn't find it there either.
Updated by Alessandro Guido almost 9 years ago
Andreas Herz wrote:
The user "iro" in IRC said that the fix was applied in 2.x but not in 3.0, and i couldn't find it there either.
Yep, that would be me :)
Committed patch was: https://github.com/inliniac/suricata/commit/d7b0ec8c91600811b246f79b5ffbcb498aef2c7a