Suricata

repeat every time

Please provide more info. What are the steps to reproduce?

Can you get a full backtrace? https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Looks like this is the same issue as #1669.

Are you also on CentOS 6.7?

The os is centos 6.5

[root@bjzjm01-op-sec029007 ~]# lsb_release -a
LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.5 (Final)
Release: 6.5
Codename: Final
[root@bjzjm01-op-sec029007 ~]#

the isssue 1669 is not resolved ? right?

The second issue is : the stack from the coredump can not find eth functuion, why?

it is always repeating.
how to debug it? what can I do it .
1)I teste suricata2.0.7, it exist this problem.
20 I use pcap mod ,it exist this problem

Can you reproduce the problem with a pcap file? If so, can you share that (privately)?

the traffic is 2G/s so the pacp file is too large.

I can share it . even you can see it through teamviewer or other IM .

Could you try something first?

git clone https://github.com/inliniac/suricata -b dev-fix-htp-v0
cd suricata
git clone https://github.com/glongo/libhtp -b 0.5.x
bash autogen.sh
./configure <your configure options>
make
make install

And see if that crashes too?

ok I try it

I use your version , it crash too.
I use dmesg find :
RxPcapeth07¹⁴²²⁴: segfault at 8 ip 00007f64aa8d28a2 sp 00007f6499a32110 error 4
RxPcapeth06¹⁴²²³: segfault at 8 ip 00007f64aa8d28a2 sp 00007f649a6c8110 error 4
RxPcapeth04¹⁴²²¹: segfault at 8 ip 00007f64aa8d28a2 sp 00007f649bff4110 error 4
RxPcapeth07³²³⁸²: segfault at 0 ip 00007f2381d7d4f0 sp 00007f2378d9c110 error 4
RxPcapeth08³²³⁸³: segfault at 0 ip 00007f2381d7d4f0 sp 00007f235fff4110 error 4
RxPcapeth05³²³⁸⁰: segfault at 0 ip 00007f2381d7d4f0 sp 00007f237a6c8110 error 4

That thread 19 backtrace looks bad:

Thread 19 (Thread 0x7f98ca5fe700 (LWP 24752)):
#0  0x0000000000479c8f in PacketCreateMask (p=0x0, mask=0x0, alproto=0, has_state=73640512, smsg=0x7f98bc385390, app_decoder_events=32664) at detect.c:2380
#1  0x000000000047815e in SigMatchSignatures (th_v=0x463aa40, de_ctx=0x25532c0, det_ctx=0x7f98bc3ff5a0, p=0x7f98bc373af0) at detect.c:1450
#2  0x0000000000479577 in Detect (tv=0x463aa40, p=0x7f98bc373af0, data=0x7f98bc3ff5a0, pq=0x463e260, postpq=0x0) at detect.c:2031
#3  0x00000000005a959b in TmThreadsSlotVarRun (tv=0x463aa40, p=0x7f98bc373af0, slot=0x4226b90) at tm-threads.c:132
#4  0x000000000057f861 in TmThreadsSlotProcessPkt (tv=0x463aa40, s=0x4226b90, p=0x7f98bc373af0) at tm-threads.h:149
#5  0x000000000058002e in ReceivePfringLoop (tv=0x463aa40, data=0x7f98bc3748c0, slot=0x4479880) at source-pfring.c:361
#6  0x00000000005a9e11 in TmThreadsSlotPktAcqLoop (td=0x463aa40) at m-threads.c:336
#7  0x00007f98dcf829d1 in start_thread () from /lib64/libpthread.so.0
#8  0x00007f98dc461b6d in clone () from /lib64/libc.so.6

Could you print *p for the frames below 0, so frames 1 to 5?

I doubt something crash the stack, and so the crash stack is ??, no symobol tables

Victor Julien wrote:

That thread 19 backtrace looks bad:
[...]

Could you print *p for the frames below 0, so frames 1 to 5?

the core file is not exitsted. I alaways test the suricata to find priblems. so many core file .

RxPcapeth11¹⁵⁵⁵¹³: segfault at 8 ip 00007f2df80fd73b sp 00007f2de52c6220 error 4
[root@bjzjm01-op-sec029007 bin]# add
addftinfo addgnupghome addpart addr2line adduser
[root@bjzjm01-op-sec029007 bin]# addr2line -e suricata 00007f2df80fd73b
??:0

I use pcap mode , all crash in RxPcapeth
RxPcapeth07³³²⁶³: segfault at 28 ip 00007fc87965160f sp 00007fc85bff4110 error 4
RxPcapeth06³³²⁶²: segfault at 28 ip 00007fc87965160f sp 00007fc8712c6110 error 4

RxPcapeth02⁴⁴⁶⁴⁹: segfault at 28 ip 00007ffbe30484f0 sp 00007ffbe2118110 error 4
RxPcapeth07⁴⁵⁵¹⁷: segfault at 0 ip 00007f9bfcc085d3 sp 00007f9be3d5f110 error 4
RxPcapeth03⁴⁵⁵¹³: segfault at 0 ip 00007f9bfcc085d3 sp 00007f9bfb042110 error 4

RxPcapeth08²³²¹⁴⁵: segfault at 48 ip 00007fe04038d3c0 sp 00007fe0266c8110 error 4
RxPcapeth06²³²¹⁴³: segfault at 48 ip 00007fe04038d3c0 sp 00007fe027ff4110 error 4

RxPcapeth06²³⁸³³¹: segfault at 8 ip 00007f29e99b76ff sp 00007f29e179d110 error 4
RxPcapeth05²³⁸³³⁰: segfault at 8 ip 00007f29e99b76ff sp 00007f29e2433110 error 4

RxPcapeth11¹⁵⁵⁵¹³: segfault at 8 ip 00007f2df80fd73b sp 00007f2de52c6220 error 4

You can also run Suricata inside gdb:
gdb -ex run --args suricata <suri options>

Then when it crashes you can just do a 'bt' right away.

Victor Julien wrote:

You can also run Suricata inside gdb:
gdb -ex run --args suricata <suri options>

Then when it crashes you can just do a 'bt' right away.

[root@bjzjm01-op-sec029007 bin]# gdb -ex run --args ./suricata --runmode=workers -i eth0 -i eth1
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /data/sec/kids/usr/bin/suricata...done.
Starting program: /data/sec/kids/usr/bin/suricata --runmode=workers -i eth0 -i eth1

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffbffff700 (LWP 177821)]
0x00007ffff4fc23c0 in ?? ()
Missing separate debuginfos, use: debuginfo-install file-libs-5.04-21.el6.x86_64 glibc-2.12-1.149.el6_6.9.x86_64 libnet-1.1.6-7.el6.x86_64 libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64 numactl-2.0.9-2.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb)
(gdb)
(gdb)
(gdb) bt
#0 0x00007ffff4fc23c0 in ?? ()
#1 0x0000000002569b60 in ?? ()
#2 0x00007ffff4fc22c0 in ?? ()
#3 0x0000000000000001 in ?? ()
#4 0x0000000000000dac in ?? ()
#5 0x00007fffb83743be in ?? ()
#6 0x0000000000000dac in ?? ()
#7 0x00007fffb83743be in ?? ()
#8 0x00007fffb83742fa in ?? ()
#9 0x00007fffb83742f9 in ?? ()
#10 0x00007fffdc6ce01f in ?? ()
#11 0x00007fffb83742fb in ?? ()
#12 0x0000000000000002 in ?? ()
#13 0x00000000032ab2a0 in ?? ()
#14 0x0000000000000000 in ?? ()

i uee your method , but it take no effect.
how I do next?

Hi
I resolved the bug.
but I comment the code ,then no crash
suricata-3.0/src/flow.c
void FlowHandlePacket(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p) {
return; //add by me

Did you compile with debug symbols? (CFLAGS="-ggdb")

Wrt the change you made: that disables 70% of Suricata's functionality, so it's not really helpful :)

Victor Julien wrote:

Did you compile with debug symbols? (CFLAGS="-ggdb")

Wrt the change you made: that disables 70% of Suricata's functionality, so it's not really helpful :)

I use CFLAGS="-ggdb -o0" other thread stack is ok .
so I think there exist heap or stack overflow.
what need I do next?

Can you provide a fresh backtrace?

Could you try running the code in https://github.com/inliniac/suricata/pull/1912 ?

Victor Julien wrote:

Could you try running the code in https://github.com/inliniac/suricata/pull/1912 ?

i try it . it is all the same.

Can you try 3.0.1RC1? If it crashes, can you give full backtrace?

Possibly related to #1805