Project

General

Profile

Actions
Copy link

Bug #21

closed

Segv when trying processing rule with http_cookie modifier but no cookie header present in packet.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Gurvinder Singh
Target version:
0.8.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using the following rule the engine segvs when processing the attached pcap when no cookie header is present in the packet.

Rule:
alert tcp $EXTERNAL_NET any -> 10.1.60.187 $HTTP_PORTS (msg:"test cookie parse"; uricontent:"/blah"; nocase; content:"blah="; nocase; http_cookie; sid:1; rev:1;)

Request:
GET / HTTP/1.0

User-Agent: check_http/v2053 (nagios-plugins 1.4.13)

Connection: close

Host: www.usma.bluenet

HTTP/1.1 302 Found

Date: Mon, 20 Apr 2009 11:29:31 GMT

Server: Apache

Location: https://www.usma.bluenet/

Content-Length: 209

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.usma.bluenet/&quot;&gt;here&lt;/a&gt;.&lt;/p>
</body></html>

Backtrace:
#0 0x00000000004474e6 in DetectHttpCookieMatch (t=0x2cb4040, det_ctx=0x2cb48e0, f=0x2a63ae0, flags=4 '\004', state=0x5489e70, s=0x2ec2e90, m=0x2ec51c0) at detect-http-cookie.c:90
90 if (BinSearch(bstr_ptr(h->value), bstr_size(h->value), co->data,
(gdb) bt full
#0 0x00000000004474e6 in DetectHttpCookieMatch (t=0x2cb4040, det_ctx=0x2cb48e0, f=0x2a63ae0, flags=4 '\004', state=0x5489e70, s=0x2ec2e90, m=0x2ec51c0) at detect-http-cookie.c:90
co = 0x2ec52f0
htp_state = 0x5489e70
ret = 0
tx = 0x5492ed0
h = 0x0
#1 0x000000000041991e in SigMatchSignaturesAppLayer (th_v=0x2cb4040, de_ctx=0x2c868e0, det_ctx=0x2cb48e0, sgh=0x3002b00, p=0x26116b0) at detect.c:527
match = 1
fmatch = 0
s = 0x2ec2e90
sm = 0x2ec51c0
idx = 4
sig = 4
flags = 4 '\004'
alstate = 0x5489e70
#2 0x000000000041a2b3 in SigMatchSignatures (th_v=0x2cb4040, de_ctx=0x2c868e0, det_ctx=0x2cb48e0, p=0x26116b0) at detect.c:786
match = 0
fmatch = 0
s = 0x2ec2e90
sm = 0x0
idx = 5
sig = 4
#3 0x000000000041a35a in Detect (tv=0x2cb4040, p=0x26116b0, data=0x2cb48e0, pq=0x2cb4140) at detect.c:823
det_ctx = 0x2cb48e0
de_ctx = 0x2c868e0
r = 0
#4 0x0000000000468417 in TmThreadsSlot1 (td=0x2cb4040) at tm-threads.c:325
tv = 0x2cb4040
s = 0x2cb4110
p = 0x26116b0
run = 1 '\001'
r = TM_ECODE_OK
#5 0x00007fb56dfaca04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fb56bacb910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140417172289808, -9120112120825613096, 140734225592752, 0, 0, 3, 9080397050194195672, 9080384591862199512}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#6 0x00007fb56d8c77bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#7 0x0000000000000000 in ?? ()
No symbol table info available.

Files

Download all files
itoc-http-nocookie.pcap (1.35 KB) itoc-http-nocookie.pcap http session from ITOC pcap no cookie Will Metcalf, 12/24/2009 03:29 PM
0001-bug-21-fixing-patch.patch (3.9 KB) 0001-bug-21-fixing-patch.patch Gurvinder Singh, 12/24/2009 08:00 PM
Actions
Copy link
 #1

Updated by Gurvinder Singh over 14 years ago

The bug was caused as in BinSearch the given value was NULL, due to absence of Cookie header in the message. The code has been updated and a unit test has been added to test this condition.

Actions
Copy link
 #2

Updated by Victor Julien over 14 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF