Project

General

Profile

Actions

Bug #17

closed

Segv inside of chunked http response body parsing

Added by Will Metcalf over 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
High
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The engine segv's when parsing a chunked encoded response body. Patch with unittest and pcap are attached. Unit test may need to be redone after segv is fixed.

Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /home/coz/downloads/oisfnew/src/eidps...done.
[New Thread 13604]
[New Thread 13599]
[New Thread 13608]
[New Thread 13601]
[New Thread 13605]
[New Thread 13609]
[New Thread 13603]
[New Thread 13606]
[New Thread 13607]
[New Thread 13611]
[New Thread 13610]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `src/eidps -c oisf.yaml -r /home/coz/sandnetchunked.pcap -l ./'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fec198ef2a1 in htp_connp_RES_BODY_CHUNKED_LENGTH () from /usr/lib/libhtp-0.1.so.1
(gdb) bt full
#0 0x00007fec198ef2a1 in htp_connp_RES_BODY_CHUNKED_LENGTH () from /usr/lib/libhtp-0.1.so.1
No symbol table info available.
#1 0x00007fec198ee701 in htp_connp_res_data () from /usr/lib/libhtp-0.1.so.1
No symbol table info available.
#2 0x00000000004afcf0 in HTPHandleResponseData (htp_state=0x5113320, pstate=<value optimized out>,
input=0x3aadb9c "HTTP/1.1 200 OK\r\nDate: Sat, 03 Oct 2009 10:16:02 GMT\r\nServer: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.7 mod_perl/1.29 FrontPage/5.0.2.2510\r\nX-Powered-By: PHP/4.4.7\r\nTransfer-Encodin"...,
input_len=391865820, output=<value optimized out>) at app-layer-htp.c:138
tv = {tv_sec = 1261068594, tv_usec = 594642}
FUNCTION = "HTPHandleResponseData"
#3 0x00000000004a4b94 in AppLayerDoParse (app_layer_state=0x5117d50, parser_state=0x3, input=0x10 <Address 0x10 out of bounds>, input_len=391865820, parser_idx=<value optimized out>, proto=48) at app-layer-parser.c:590
retval = <value optimized out>
result = {head = 0x0, tail = 0x0, cnt = 0}
r = <value optimized out>
PRETTY_FUNCTION = "AppLayerDoParse"
e = <value optimized out>
#4 0x00000000004a4db0 in AppLayerParse (f=0x25919a0, proto=<value optimized out>, flags=<value optimized out>,
input=0x3aadb9c "HTTP/1.1 200 OK\r\nDate: Sat, 03 Oct 2009 10:16:02 GMT\r\nServer: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.7 mod_perl/1.29 FrontPage/5.0.2.2510\r\nX-Powered-By: PHP/4.4.7\r\nTransfer-Encodin"...,
input_len=391865820, need_lock=0 '\000') at app-layer-parser.c:747
parser_idx = <value optimized out>
p = <value optimized out>
ssn = 0x3a61a10
parser_state_store = <value optimized out>
parser_state = 0x51132e0
app_layer_state = 0x4
r = <value optimized out>
FUNCTION = "AppLayerParse"
#5 0x00000000004a2da0 in AppLayerHandleMsg (smsg=0x3aadb60, need_lock=0 '\000') at app-layer-detect-proto.c:335
alproto = 3
r = <value optimized out>
ssn = 0x3a61a10
#6 0x00000000004957d4 in StreamTcpReassembleProcessAppLayer (ra_ctx=0x2d54b10) at stream-tcp-reassemble.c:1232
smsg = 0x580
r = 0
#7 0x00000000004916a6 in StreamTcpPacket (tv=<value optimized out>, p=0x2659610, stt=0x2d54d90) at stream-tcp.c:1941
ssn = 0x3a61a10
#8 0x00000000004927d9 in StreamTcp (tv=0x2c33d20, p=0x2659610, data=0x2d54d90, pq=<value optimized out>) at stream-tcp.c:1959
No locals.
#9 0x0000000000488ef6 in TmThreadsSlot1 (td=<value optimized out>) at tm-threads.c:325
tv = 0x2c33d20
s = 0x2c33df0
p = 0x2659610
r = <value optimized out>
#10 0x00007fec19080a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fec175b7910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140651980880144, 8811170107587606422, 140735379873488, 0, 0, 3, -8818120425081096298, -8818150774101461098}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#11 0x00007fec1899b7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#12 0x0000000000000000 in ?? ()
No symbol table info available.


Files

chunkedresponsebugfiles.tar.gz (2.85 KB) chunkedresponsebugfiles.tar.gz pcap and unittest patch. Will Metcalf, 12/17/2009 10:41 AM
Actions

Also available in: Atom PDF