Bug #1751
closed
Suricata segfault caused by java download
Added by Michael Dods about 8 years ago.
Updated almost 8 years ago.
Description
The segfault is reproducable and occurs when a PC downstream of the IDS/IPS tries to initiate a Java update. The java download never actually starts. In my case Java 8 update 77. Refer the following link.
http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207231
This is Suricata version 3.0 RELEASE
Mar 25 11:17:35 10.0.0.151 kernel: [SysLog]: [Site allowed: oracle.112.2o7.net] from source 10.0.0.9,
Mar 25 11:17:38 10.0.0.151 kernel: [SysLog]: [Site allowed: javadl.oracle.com] from source 10.0.0.9,
Mar 25 11:17:38 SELKS kernel: [61860.202241] AFPacketeth2430767: segfault at 2 ip 00007ff353084a6c sp 00007ff3397ef260 error 4
Mar 25 11:17:38 SELKS kernel: [61860.601737] device eth1 left promiscuous mode
Mar 25 11:17:39 SELKS kernel: [61861.007224] device eth2 left promiscuous mode
The issue started about one week ago, where I performed an apt update of the system.
It can be fixed with a 'service suricata restart', until the next time it fails.
More detail in the attachments.
Files
- Assignee changed from Michael Dods to OISF Dev
- Target version changed from 3.0.1 to 70
I can't reproduce it, but if you can it would be useful if you capture a pcap from that traffic. Maybe using the pcap we would be able to reproduce the issue.
The update to Suricata 3.01RC1 fixed the problem. Incidentally, I got a Wireshark trace of the issue, and the only thing that stood out at the time of failure was the length of the URL in the Java download request, being 210 characters in total. There were some other sites that also randomly triggered this fault but I couldn't identify them. So for the mean time, it appears the URL length was the issue.
Resolved,
Michael
Would you be able to share the pcap? The URL length idea makes little sense if the changes between 3.0 -> 3.0.1 fixed this issue.
OK, here's the pcap.
It fails at line 48. After that, the path through Suricata is broken and my PC (at 10.0.0.9) keeps trying for a response.
Incidentally, my Suricata has 3 NICS. in, out & mgt
- Status changed from New to Closed
- Assignee deleted (
OISF Dev)
- Target version deleted (
70)
I haven't been able to find any issue or reproduce it on 3.0. But thanks for sharing Michael!
Also available in: Atom
PDF
