Project

General

Profile

Actions

Bug #17

closed

Segv inside of chunked http response body parsing

Added by Will Metcalf about 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
High
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The engine segv's when parsing a chunked encoded response body. Patch with unittest and pcap are attached. Unit test may need to be redone after segv is fixed.

Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /home/coz/downloads/oisfnew/src/eidps...done.
[New Thread 13604]
[New Thread 13599]
[New Thread 13608]
[New Thread 13601]
[New Thread 13605]
[New Thread 13609]
[New Thread 13603]
[New Thread 13606]
[New Thread 13607]
[New Thread 13611]
[New Thread 13610]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `src/eidps -c oisf.yaml -r /home/coz/sandnetchunked.pcap -l ./'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fec198ef2a1 in htp_connp_RES_BODY_CHUNKED_LENGTH () from /usr/lib/libhtp-0.1.so.1
(gdb) bt full
#0 0x00007fec198ef2a1 in htp_connp_RES_BODY_CHUNKED_LENGTH () from /usr/lib/libhtp-0.1.so.1
No symbol table info available.
#1 0x00007fec198ee701 in htp_connp_res_data () from /usr/lib/libhtp-0.1.so.1
No symbol table info available.
#2 0x00000000004afcf0 in HTPHandleResponseData (htp_state=0x5113320, pstate=<value optimized out>,
input=0x3aadb9c "HTTP/1.1 200 OK\r\nDate: Sat, 03 Oct 2009 10:16:02 GMT\r\nServer: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.7 mod_perl/1.29 FrontPage/5.0.2.2510\r\nX-Powered-By: PHP/4.4.7\r\nTransfer-Encodin"...,
input_len=391865820, output=<value optimized out>) at app-layer-htp.c:138
tv = {tv_sec = 1261068594, tv_usec = 594642}
FUNCTION = "HTPHandleResponseData"
#3 0x00000000004a4b94 in AppLayerDoParse (app_layer_state=0x5117d50, parser_state=0x3, input=0x10 <Address 0x10 out of bounds>, input_len=391865820, parser_idx=<value optimized out>, proto=48) at app-layer-parser.c:590
retval = <value optimized out>
result = {head = 0x0, tail = 0x0, cnt = 0}
r = <value optimized out>
PRETTY_FUNCTION = "AppLayerDoParse"
e = <value optimized out>
#4 0x00000000004a4db0 in AppLayerParse (f=0x25919a0, proto=<value optimized out>, flags=<value optimized out>,
input=0x3aadb9c "HTTP/1.1 200 OK\r\nDate: Sat, 03 Oct 2009 10:16:02 GMT\r\nServer: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.7 mod_perl/1.29 FrontPage/5.0.2.2510\r\nX-Powered-By: PHP/4.4.7\r\nTransfer-Encodin"...,
input_len=391865820, need_lock=0 '\000') at app-layer-parser.c:747
parser_idx = <value optimized out>
p = <value optimized out>
ssn = 0x3a61a10
parser_state_store = <value optimized out>
parser_state = 0x51132e0
app_layer_state = 0x4
r = <value optimized out>
FUNCTION = "AppLayerParse"
#5 0x00000000004a2da0 in AppLayerHandleMsg (smsg=0x3aadb60, need_lock=0 '\000') at app-layer-detect-proto.c:335
alproto = 3
r = <value optimized out>
ssn = 0x3a61a10
#6 0x00000000004957d4 in StreamTcpReassembleProcessAppLayer (ra_ctx=0x2d54b10) at stream-tcp-reassemble.c:1232
smsg = 0x580
r = 0
#7 0x00000000004916a6 in StreamTcpPacket (tv=<value optimized out>, p=0x2659610, stt=0x2d54d90) at stream-tcp.c:1941
ssn = 0x3a61a10
#8 0x00000000004927d9 in StreamTcp (tv=0x2c33d20, p=0x2659610, data=0x2d54d90, pq=<value optimized out>) at stream-tcp.c:1959
No locals.
#9 0x0000000000488ef6 in TmThreadsSlot1 (td=<value optimized out>) at tm-threads.c:325
tv = 0x2c33d20
s = 0x2c33df0
p = 0x2659610
r = <value optimized out>
#10 0x00007fec19080a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fec175b7910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140651980880144, 8811170107587606422, 140735379873488, 0, 0, 3, -8818120425081096298, -8818150774101461098}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#11 0x00007fec1899b7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#12 0x0000000000000000 in ?? ()
No symbol table info available.


Files

chunkedresponsebugfiles.tar.gz (2.85 KB) chunkedresponsebugfiles.tar.gz pcap and unittest patch. Will Metcalf, 12/17/2009 10:41 AM
Actions #1

Updated by Will Metcalf about 15 years ago

Looks like it's more than just chunked encoded response bodies..

Core was generated by `src/eidps -r /home/coz/downloads/dc17ctf.pcap -s current-all-blah.rules -l ./ -'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f42c5ec10c3 in htp_connp_RES_BODY_DETERMINE () from /usr/lib/libhtp-0.1.so.1
(gdb) bt full
#0 0x00007f42c5ec10c3 in htp_connp_RES_BODY_DETERMINE () from /usr/lib/libhtp-0.1.so.1
No symbol table info available.
#1 0x00007f42c5ec0701 in htp_connp_res_data () from /usr/lib/libhtp-0.1.so.1
No symbol table info available.
#2 0x00000000004afcf0 in HTPHandleResponseData (htp_state=0xf787f98, pstate=<value optimized out>, input=0xa <Address 0xa out of bounds>, input_len=3283650012, output=0x3) at app-layer-htp.c:136
tv = {tv_sec = 1261091422, tv_usec = 528521}
FUNCTION = "HTPHandleResponseData"
#3 0x00000000004a4b94 in AppLayerDoParse (app_layer_state=0xab21390, parser_state=0x42e3720, input=0x7f42bccfff50 "\004", input_len=3283650012, parser_idx=3, proto=53) at app-layer-parser.c:584
retval = <value optimized out>
result = {head = 0x0, tail = 0x0, cnt = 0}
r = <value optimized out>
PRETTY_FUNCTION = "AppLayerDoParse"
e = <value optimized out>
#4 0x00000000004a4db0 in AppLayerParse (f=0x29d82b0, proto=<value optimized out>, flags=<value optimized out>,
input=0x7f42bcd4dcfc "HTTP/1.1 403 Forbidden\r\nContent-Type: text/html\r\nContent-Length: 345\r\nDate: Fri, 31 Jul 2009 19:22:59 GMT\r\nServer: lighttpd/1.4.22\r\n\r\n\n<!DOCTYPE html PUBLIC "..., input_len=3283650012, need_lock=0 '\000') at app-layer-parser.c:732
parser_idx = 3
p = 0x35
ssn = 0x7f42bccfff50
parser_state_store = 0x4
parser_state = 0x42e3720
app_layer_state = <value optimized out>
r = <value optimized out>
FUNCTION = "AppLayerParse"
#5 0x00000000004a2da0 in AppLayerHandleMsg (smsg=0x7f42bcd4dcc0, need_lock=0 '\000') at app-layer-detect-proto.c:335
alproto = 3
r = <value optimized out>
ssn = 0x7f42bccfff50
#6 0x00000000004957d4 in StreamTcpReassembleProcessAppLayer (ra_ctx=0x4713ba0) at stream-tcp-reassemble.c:1232
smsg = 0x159
r = 0
#7 0x00000000004916a6 in StreamTcpPacket (tv=<value optimized out>, p=0x294fc10, stt=0x4743420) at stream-tcp.c:1941
ssn = 0x7f42bccfff50
#8 0x00000000004927d9 in StreamTcp (tv=0x4e5a700, p=0x294fc10, data=0x4743420, pq=<value optimized out>) at stream-tcp.c:1959
No locals.
#9 0x0000000000488ef6 in TmThreadsSlot1 (td=<value optimized out>) at tm-threads.c:325
tv = 0x4e5a700
s = 0x1bda3510
p = 0x294fc10
r = <value optimized out>
#10 0x00007f42c5652a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7f42c3b89910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139924728224016, 6684411947758230167, 140735894925008, 0, 0, 3, -6753629016401274217, -6753631931334288745}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#11 0x00007f42c4f6d7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#12 0x0000000000000000 in ?? ()
No symbol table info available.

Actions #2

Updated by Gurvinder Singh almost 15 years ago

  • Status changed from New to Resolved
  • Assignee changed from OISF Dev to Gurvinder Singh

There is no segv anymore after running with the given pcap and unit-test has been bit modified for the content length in the response body.

Actions #3

Updated by Victor Julien almost 15 years ago

Is this confirmed fixed for everyone?

Actions #4

Updated by Will Metcalf almost 15 years ago

  • Status changed from Resolved to Closed

Yes fixed setting to closed

Actions

Also available in: Atom PDF