Project

General

Profile

Actions

Bug #20

closed

Engine segv's when proccessing gzip'd http responses on 64-bit hosts.

Added by Will Metcalf almost 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When processing the attached pcap the engine segv's when dealing with a gzip'd http response. This appears to only be an issue on 64-bit hosts.

Core was generated by `src/suricata c suricata.yaml -r /home/coz/sandnetgzip.pcap -l ./ -s /home/coz/'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fa73dc726ca in htp_connp_RES_BODY_DETERMINE (connp=0x7fa73660b330) at htp_response.c:259
259 connp
>out_tx->response_decompressor->callback = htp_connp_RES_BODY_DECOMPRESSOR_CALLBACK;
(gdb) bt full
#0 0x00007fa73dc726ca in htp_connp_RES_BODY_DETERMINE (connp=0x7fa73660b330) at htp_response.c:259
No locals.
#1 0x00007fa73dc71ba9 in htp_connp_res_data (connp=0x7fa73660b330, timestamp=912364192, data=0x366171d0 <Address 0x366171d0 out of bounds>, len=140356272724960) at htp_response.c:647
rc = <value optimized out>
#2 0x0000000000487ba1 in HTPHandleResponseData (f=0xc91be0, htp_state=0x7fa73660b310, pstate=0x7fa73660b2d0,
input=0x7fa734ede06c "36 GMT\r\nSet-Cookie: ident=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1254698196%7Cclick%3A0%7Cblocked%3A0%7Ctoken%3Aurzysvqpuvwssvru; path=/; expires=Mon, 05-Oct-2009 23:16:36 GMT\r\nSet-Cookie: Sp"...,
input_len=512, output=0x7fa73b71ea50) at app-layer-htp.c:186
r = 1
ret = 1
hstate = 0x7fa73660b310
FUNCTION = "HTPHandleResponseData"
#3 0x0000000000486120 in AppLayerDoParse (f=0xc91be0, app_layer_state=0x7fa73660b310, parser_state=0x7fa73660b2d0,
input=0x7fa734ede06c "36 GMT\r\nSet-Cookie: ident=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1254698196%7Cclick%3A0%7Cblocked%3A0%7Ctoken%3Aurzysvqpuvwssvru; path=/; expires=Mon, 05-Oct-2009 23:16:36 GMT\r\nSet-Cookie: Sp"...,
input_len=512, parser_idx=2, proto=1, need_lock=0 '\000') at app-layer-parser.c:611
retval = 0
result = {head = 0x0, tail = 0x0, cnt = 0}
r = 1
PRETTY_FUNCTION = "AppLayerDoParse"
e = 0x0
#4 0x0000000000486764 in AppLayerParse (f=0xc91be0, proto=1 '\001', flags=8 '\b',
input=0x7fa734ede06c "36 GMT\r\nSet-Cookie: ident=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1254698196%7Cclick%3A0%7Cblocked%3A0%7Ctoken%3Aurzysvqpuvwssvru; path=/; expires=Mon, 05-Oct-2009 23:16:36 GMT\r\nSet-Cookie: Sp"...,
input_len=512, need_lock=0 '\000') at app-layer-parser.c:772
parser_idx = 2
p = 0x6d5310
ssn = 0x7fa734e91ee0
parser_state_store = 0x7fa73660b2d0
parser_state = 0x7fa73660b2d0
app_layer_state = 0x7fa73660b310
r = 0
FUNCTION = "AppLayerParse"
#5 0x0000000000483546 in AppLayerHandleMsg (smsg=0x7fa734ede030, need_lock=0 '\000') at app-layer-detect-proto.c:366
alproto = 1
r = 0
ssn = 0x7fa734e91ee0
#6 0x0000000000478720 in StreamTcpReassembleProcessAppLayer (ra_ctx=0x7fa734002800) at stream-tcp-reassemble.c:1457
smsg = 0x7fa734ede030
r = 0
#7 0x00000000004741db in StreamTcpPacket (tv=0x7fa734002300, p=0x948fb0, stt=0x7fa7340025b0) at stream-tcp.c:2286
ssn = 0x7fa734e91ee0
#8 0x0000000000474275 in StreamTcp (tv=0x7fa734002300, p=0x948fb0, data=0x7fa7340025b0, pq=0x7fa734002400) at stream-tcp.c:2304
stt = 0x7fa7340025b0
ret = TM_ECODE_OK
#9 0x0000000000468417 in TmThreadsSlot1 (td=0x7fa734002300) at tm-threads.c:325
tv = 0x7fa734002300
s = 0x7fa7340023d0
p = 0x948fb0
run = 1 '\001'
r = TM_ECODE_OK
#10 0x00007fa73d3ffa04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fa73b71f910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140356233591056, -5901072657703093264, 140736784036016, 0, 0, 3, 5860690877335616496, 5860687045927779312}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#11 0x00007fa73cd1a7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
---Type <return> to continue, or q <return> to quit--

No locals.
#12 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)


Files

sandnetgzip.pcap (7.09 KB) sandnetgzip.pcap Will Metcalf, 12/24/2009 11:18 AM
Actions #1

Updated by Pablo Rincon almost 15 years ago

  • % Done changed from 0 to 100

This are the changes needed to fix the decompressor callback problem on x86_64. I wrote a mail to Ivan asking him to update/fix the htp code.

diff -r --suppress-common-lines htp-r63/htp/htp_response.c htp-r63_fix_decomp/htp/htp_response.c
4a5

#include "htp_decompressors.h"

254c255
< connp->out_tx->response_decompressor = (htp_decompressor_t *) htp_gzip_decompressor_create(connp);
---

connp->out_tx->response_decompressor = htp_gzip_decompressor_create(connp);

Actions #2

Updated by Victor Julien almost 15 years ago

  • Status changed from New to Closed

Confirmed fixed in current master + current htp

Actions

Also available in: Atom PDF