Bug #183
closedsegv inside of ThresholdTimeoutRemove()
Description
Somewhat hard to reproduce bug, and hard to trim the pcap as it's threshold related. Contact me for pcap download.
(gdb) bt full
#0 0x080846e0 in ThresholdTimeoutRemove (de_ctx=0x8e3bd20, tv=0x8ad6aec) at detect-engine-threshold.c:180
tsh = 0xabff7fd8
next = 0xa48c9bc0
buck = 0xabff7f90
#1 0x08085590 in PacketAlertThreshold (de_ctx=0x8e3bd20, det_ctx=0xcb08bb0, td=0x9baf110, p=0x8ad6ab8, s=0x9baff50) at detect-engine-threshold.c:553
ret = 0
lookup_tsh = 0xad0f7f90
ste = {tv_timeout = 4, seconds = 60, sid = 2001579, tv_sec1 = 52136, current_count = 3048655784, addr = {family = 2 '\002', address = {address_un_data32 = {4150591242, 0, 0, 0}, address_un_data16 = {65290, 63332, 0, 0, 0, 0, 0,
0}, address_un_data8 = "\n\377d\367", '\000' <repeats 11 times>}}, gid = 0 '\000', ipv = 4 '\004', track = 2 '\002'}
#2 0x0808450f in PacketAlertHandle (de_ctx=0x8e3bd20, det_ctx=0xcb08bb0, s=0x9baff50, p=0x8ad6ab8, pos=0) at detect-engine-threshold.c:79
ret = 0
td = 0x9baf110
#3 0x0807b908 in PacketAlertFinalize (de_ctx=0x8e3bd20, det_ctx=0xcb08bb0, p=0x8ad6ab8) at detect-engine-alert.c:154
res = 163184779
i = 0
s = 0x9baff50
#4 0x08074450 in SigMatchSignatures (th_v=0xb5b6cab8, de_ctx=0x8e3bd20, det_ctx=0xcb08bb0, p=0x8ad6ab8) at detect.c:934
match = 1
fmatch = 1
s = 0xc90e750
sm = 0x0
idx = 773
alproto = 0
alstate = 0x0
flags = 32 ' '
cnt = 0
sgh = 0x0
use_flow_sgh = 0 '\000'
smsg = 0x0
no_store_flow_sgh = 0 '\000'
de_state_start = 1 '\001'
#5 0x0807467d in Detect (tv=0xb5b6cab8, p=0x8ad6ab8, data=0xcb08bb0, pq=0xb5b6cb50, postpq=0xb5b6cba8) at detect.c:1007
det_ctx = 0xcb08bb0
de_ctx = 0x8e3bd20
r = 4
#6 0x0810e94b in TmThreadsSlot1 (td=0xb5b6cab8) at tm-threads.c:406
tv = 0xb5b6cab8
s = 0xb5b6cb38
p = 0x8ad6ab8
run = 1 '\001'
r = TM_ECODE_OK
#7 0xb774396e in start_thread (arg=0xb28fcb70) at pthread_create.c:300
res = <value optimized out>
__ignore1 = <value optimized out>
__ignore2 = <value optimized out>
pd = 0xb28fcb70
now = <value optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1217052684, 0, 4001536, -1299200920, -2052862496, 1918284267}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
freesize = <value optimized out>
__PRETTY_FUNCTION = "start_thread"
#8 0xb7661a4e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Updated by Will Metcalf over 14 years ago
hit it again, different box, different arch, different OS, different pcap.
(gdb) bt full
#0 0x08082230 in ThresholdTimeoutRemove (de_ctx=0x8cc4518, tv=0x87b8ea4) at detect-engine-threshold.c:180
tsh = 0xb04f7fd8
next = 0xb26f8e80
buck = 0xb0ff8fb8
#1 0x08082f52 in PacketAlertThreshold (de_ctx=0x8cc4518, det_ctx=0xb3c00468, td=0x9920370, p=0x87b8e70, s=0x991fd28) at detect-engine-threshold.c:553
ret = 0
lookup_tsh = 0xb17f7f30
ste = {tv_timeout = 183, seconds = 60, sid = 2009885, tv_sec1 = 142316679, current_count = 355, addr = {family = 2 '\002', address = {address_un_data32 = {2030113802, 0, 0, 0}, address_un_data16 = {5130, 30977, 0, 0, 0, 0, 0,
0}, address_un_data8 = "\n\024\001y", '\000' <repeats 11 times>}}, gid = 0 '\000', ipv = 4 '\004', track = 1 '\001'}
#2 0x0808205f in PacketAlertHandle (de_ctx=0x8cc4518, det_ctx=0xb3c00468, s=0x991fd28, p=0x87b8e70, pos=0) at detect-engine-threshold.c:79
ret = 0
td = 0x9920370
#3 0x08079d77 in PacketAlertFinalize (de_ctx=0x8cc4518, det_ctx=0xb3c00468, p=0x87b8e70) at detect-engine-alert.c:154
res = 0
i = 0
s = 0x991fd28
#4 0x08072a86 in SigMatchSignatures (th_v=0xe33d0c8, de_ctx=0x8cc4518, det_ctx=0xb3c00468, p=0x87b8e70) at detect.c:934
match = 1
fmatch = 1
s = 0xc4db678
sm = 0x0
idx = 672
alproto = 0
alstate = 0x0
flags = 64 '@'
cnt = 70
sgh = 0x1011de60
use_flow_sgh = 1 '\001'
smsg = 0x0
no_store_flow_sgh = 0 '\000'
de_state_start = 1 '\001'
#5 0x08072cc7 in Detect (tv=0xe33d0c8, p=0x87b8e70, data=0xb3c00468, pq=0xd8b9750, postpq=0xd8b97a8) at detect.c:1007
det_ctx = 0xb3c00468
de_ctx = 0x8cc4518
r = 142315120
#6 0x08102e7e in TmThreadsSlot1 (td=0xe33d0c8) at tm-threads.c:406
tv = 0xe33d0c8
s = 0xd8b9738
p = 0x87b8e70
run = 1 '\001'
r = TM_ECODE_OK
#7 0x00d4b919 in start_thread (arg=0xb4dffb70) at pthread_create.c:301
__res = <value optimized out>
__ignore1 = -1272971236
__ignore2 = -1752556072
pd = 0xb4dffb70
now = <value optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {14012404, 0, 4001536, -1260391320, 1637853318, 1997052910}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
pagesize_m1 = <value optimized out>
sp = <value optimized out>
freesize = <value optimized out>
#8 0x003ace5e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:133
Updated by Victor Julien over 14 years ago
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 0.9.3 to 1.0.0
- % Done changed from 0 to 100
Couldn't reproduce, but did find a (possibly) related issue. Closing. Please reopen if the issue isn't fixed.
Updated by Victor Julien over 14 years ago
- Status changed from New to Closed
More issues have been fixed by Pablo.