Project

General

Profile

Actions
Copy link

Bug #1751

closed

Suricata segfault caused by java download

Added by Michael Dods about 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

The segfault is reproducable and occurs when a PC downstream of the IDS/IPS tries to initiate a Java update. The java download never actually starts. In my case Java 8 update 77. Refer the following link.
http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207231

This is Suricata version 3.0 RELEASE
Mar 25 11:17:35 10.0.0.151 kernel: [SysLog]: [Site allowed: oracle.112.2o7.net] from source 10.0.0.9,
Mar 25 11:17:38 10.0.0.151 kernel: [SysLog]: [Site allowed: javadl.oracle.com] from source 10.0.0.9,
Mar 25 11:17:38 SELKS kernel: [61860.202241] AFPacketeth2430767: segfault at 2 ip 00007ff353084a6c sp 00007ff3397ef260 error 4
Mar 25 11:17:38 SELKS kernel: [61860.601737] device eth1 left promiscuous mode
Mar 25 11:17:39 SELKS kernel: [61861.007224] device eth2 left promiscuous mode

The issue started about one week ago, where I performed an apt update of the system.

It can be fixed with a 'service suricata restart', until the next time it fails.

More detail in the attachments.

Files

Download all files
suricata-segfault-25032015.txt (5 KB) suricata-segfault-25032015.txt AFPacketeth24[30767]: segfault Michael Dods, 03/24/2016 08:23 PM
java update.jpg (45.9 KB) java update.jpg screen capture of download request Michael Dods, 03/24/2016 08:35 PM
crash with IDS-IPS-line 48.pcapng (30.7 KB) crash with IDS-IPS-line 48.pcapng Michael Dods, 04/12/2016 08:03 AM
Actions
Copy link
 #1

Updated by Victor Julien about 8 years ago

  • Assignee changed from Michael Dods to OISF Dev
  • Target version changed from 3.0.1 to 70

Can you try the new 3.0.1RC1 release? If that also crashes, can you provide a backtrace as documented in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs. Thanks!

Actions
Copy link
 #2

Updated by Victor Julien about 8 years ago

I can't reproduce it, but if you can it would be useful if you capture a pcap from that traffic. Maybe using the pcap we would be able to reproduce the issue.

Actions
Copy link
 #3

Updated by Michael Dods about 8 years ago

The update to Suricata 3.01RC1 fixed the problem. Incidentally, I got a Wireshark trace of the issue, and the only thing that stood out at the time of failure was the length of the URL in the Java download request, being 210 characters in total. There were some other sites that also randomly triggered this fault but I couldn't identify them. So for the mean time, it appears the URL length was the issue.

Resolved,
Michael

Actions
Copy link
 #4

Updated by Victor Julien about 8 years ago

Would you be able to share the pcap? The URL length idea makes little sense if the changes between 3.0 -> 3.0.1 fixed this issue.

Actions
Copy link
 #5

Updated by Michael Dods about 8 years ago

OK, here's the pcap.
It fails at line 48. After that, the path through Suricata is broken and my PC (at 10.0.0.9) keeps trying for a response.

Incidentally, my Suricata has 3 NICS. in, out & mgt

Actions
Copy link
 #6

Updated by Victor Julien almost 8 years ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Target version deleted (70)

I haven't been able to find any issue or reproduce it on 3.0. But thanks for sharing Michael!

Actions
Copy link

Also available in: Atom PDF