Project

General

Profile

Actions

Bug #22

closed

Engine infinitely prints whitespace when processing the smb traffic in the attached pcap.

Added by Will Metcalf almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It looks like the engine gets stuck in a loop when processing the smb traffic in the attached pcap. Additionally it looks like some printfs inside the smb app layer stuff should be converted to SCLogDebug such as the following.

SMB Header (36/36) Command 0x72 parsed 36 input_len 101
Wordcount (2) parsed 37 input_len 100
0x62 0x10
0x02 0x50 0x43 0x20 0x4e 0x45 0x54 0x57 0x4f 0x52 0x4b 0x20 0x50 0x52 0x4f 0x47 0x52 0x41 0x4d 0x20 0x31 0x2e 0x30 0x00 0x02 0x4c 0x41 0x4e 0x4d 0x41 0x4e 0x31 0x2e 0x30 0x00 0x02 0x57 0x69 0x6e 0x24 0x6f 0x77 0x73 0x20 0x66 0x6f 0x72 0x
20 0x57 0x6f 0x72 0x6b 0x67 0x72 0x6f 0x75 0x70 0x73 0x20 0x33 0x2e 0x31 0x61 0x00 0x02 0x4c 0x4d 0x31 0x2e 0x32 0x58 0x30 0x30 0x32 0x00 0x02 0x4c 0x41 0x4e 0x4d 0x41 0x4e 0x32 0x2e 0x31 0x00 0x02 0x4e 0x54 0x20 0x4c 0x4d 0x20 0x30 0x2e
0x31 0x32 0x00
0x00 0x00 0x00 0xae 0xff 0x53 0x4d 0x42 0x72 0x00 0x00 0x40 0x00 0x98 0x53 0xc8 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xfe 0x00 0x00 0x00 0x00 0x11 0x05 0x00 0x0f 0x32 0x00 0x01 0x00 0x04 0x41 0x00 0x
00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0xfd 0xf3 0x01 0x80 0x07 0x8f 0x8a 0x69 0xb0 0xe9 0xc8 0x01 0xf0 0x00 0x00 0x69 0x00 0xd1 0xdd 0x34 0x17 0x0f 0xfd 0x94 0x4b 0xa5 0x86 0xf7 0xa8 0x9e 0xa8 0x2a 0xc9 0x60 0x57 0x06 0x06 0x2b 0x06
0x01 0x05 0x05 0x02 0xa0 0x4d 0x30 0x4b 0xa0 0x30 0x30 0x2e 0x06 0x09 0x2a 0x86 0x48 0x82 0xf7 0x12 0x81 0x02 0x02 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02 0x02 0x06 0x0a 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02 0x02 0x03 0x06 0
x0a 0x2b 0x06 0x01 0x04 0x01 0x82 0x37 0x02 0x02 0x0a 0xa3 0x17 0x30

Backtrace after attaching to stuck thread.

ulimit -c unlimited; src/suricata -c suricata117.yaml -r smb-traffic-infinate-loop-2.pcap -l ./

(gdb) bt full
#0 0x00007ffe80fd2aeb in write () from /lib/libc.so.6
No symbol table info available.
#1 0x00007ffe80f728c3 in _IO_new_file_write (f=0x7ffe8126a780, data=0x7ffe82357000, n=1) at fileops.c:1275
count = 1
to_do = 1
#2 0x00007ffe80f73f05 in new_do_write (fp=0x7ffe8126a780,
data=0x7ffe82357000 "\nx00 0x00 0x00 0xae 0xff 0x53 0x4d 0x42 0x72 0x00 0x00 0x40 0x00 0x98 0x53 0xc8 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xfe 0x00 0x00 0x00 0x00 0x11 0x05 0x00 0x0f "...,
to_do=1) at fileops.c:529
count = <value optimized out>
#3 _IO_new_do_write (fp=0x7ffe8126a780,
data=0x7ffe82357000 "\nx00 0x00 0x00 0xae 0xff 0x53 0x4d 0x42 0x72 0x00 0x00 0x40 0x00 0x98 0x53 0xc8 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xfe 0x00 0x00 0x00 0x00 0x11 0x05 0x00 0x0f "...,
to_do=1) at fileops.c:502
No locals.
#4 0x00007ffe80f73178 in _IO_new_file_overflow (f=0x7ffe8126a780, ch=10) at fileops.c:888
No locals.
#5 0x00007ffe80f6a4d8 in putchar (c=-2110427136) at putchar.c:30
result = <value optimized out>
#6 0x000000000048ba92 in SMBParseByteCount (f=0x1df8ae0, smb_state=0x7ffe7a60b230, pstate=0x7ffe7a60b1f0, input=0x7ffe78ede029 "\240\023\033\", input_len=0, output=0x7ffe7f9e4a50) at app-layer-smb.c:495
sstate = 0x7ffe7a60b230
p = 0x7ffe78ede029 "\240\023\033\"
retval = 0
parsed = 0
#7 0x000000000048c986 in SMBParse (f=0x1df8ae0, smb_state=0x7ffe7a60b230, pstate=0x7ffe7a60b1f0, input=0x7ffe78eddf8c "", input_len=355, output=0x7ffe7f9e4a50) at app-layer-smb.c:774
sstate = 0x7ffe7a60b230
retval = 0
parsed = 157
#8 0x0000000000486134 in AppLayerDoParse (f=0x1df8ae0, app_layer_state=0x7ffe7a60b230, parser_state=0x7ffe7a60b1f0, input=0x7ffe78eddf8c "", input_len=512, parser_idx=10, proto=10, need_lock=0 '\000') at app-layer-parser.c:611
retval = 0
result = {head = 0x0, tail = 0x0, cnt = 0}
r = 1
PRETTY_FUNCTION = "AppLayerDoParse"
e = 0x0
#9 0x0000000000486778 in AppLayerParse (f=0x1df8ae0, proto=10 '\n', flags=9 '\t', input=0x7ffe78eddf8c "", input_len=512, need_lock=0 '\000') at app-layer-parser.c:772
parser_idx = 10
p = 0x6d54c0
ssn = 0x7ffe78e91e00
parser_state_store = 0x7ffe7a60b1f0
parser_state = 0x7ffe7a60b1f0
app_layer_state = 0x7ffe7a60b230
r = 77908736
FUNCTION = "AppLayerParse"
#10 0x000000000048350a in AppLayerHandleMsg (smsg=0x7ffe78eddf50, need_lock=0 '\000') at app-layer-detect-proto.c:352
alproto = 10
r = 0
ssn = 0x7ffe78e91e00
#11 0x0000000000478734 in StreamTcpReassembleProcessAppLayer (ra_ctx=0x7ffe780027e0) at stream-tcp-reassemble.c:1457
smsg = 0x7ffe78eddf50
r = 0
#12 0x00000000004741ef in StreamTcpPacket (tv=0x7ffe780022e0, p=0x1a576b0, stt=0x7ffe78002590) at stream-tcp.c:2286
ssn = 0x7ffe78e91e00
#13 0x0000000000474289 in StreamTcp (tv=0x7ffe780022e0, p=0x1a576b0, data=0x7ffe78002590, pq=0x7ffe780023e0) at stream-tcp.c:2304
stt = 0x7ffe78002590
ret = TM_ECODE_OK
#14 0x000000000046842b in TmThreadsSlot1 (td=0x7ffe780022e0) at tm-threads.c:325
tv = 0x7ffe780022e0
s = 0x7ffe780023b0
---Type <return> to continue, or q <return> to quit--

p = 0x1a576b0
run = 1 '\001'
r = TM_ECODE_OK
#15 0x00007ffe816c5a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7ffe7f9e5910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140731039504656, 6723359283977757525, 140733818011040, 0, 0, 3, -6723077539160284331, -6722984201193938091}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#16 0x00007ffe80fe07bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#17 0x0000000000000000 in ?? ()
No symbol table info available.


Files

smb-traffic-infinate-loop-2.pcap (36.8 KB) smb-traffic-infinate-loop-2.pcap port 445 traffic that causes the engine to be stuck in an infinite loop Will Metcalf, 12/26/2009 11:33 AM
0001-fix-for-bug-22-better-handle-malformed-smb-packets.patch (10.2 KB) 0001-fix-for-bug-22-better-handle-malformed-smb-packets.patch Kirby Kuehl, 12/29/2009 12:28 AM
Actions #1

Updated by Will Metcalf almost 12 years ago

  • Assignee changed from OISF Dev to Kirby Kuehl
Actions #2

Updated by Kirby Kuehl almost 12 years ago

Will, test this out and let me know if it works. I added handling for malformed smb packets. In this case, the bytecount + wordcount + smb header is much larger than the allowed nbss length.

I wasn't able to fully test because I didnt have your suricata117.yaml, but my engine no longer infinite loops or segfaults, I have it returning -1 on the malformed packet, hope that is correct.

Actions #3

Updated by Victor Julien almost 12 years ago

After applying this patch the unittest SMBParserTest01 gets stuck in some endless loop...

Actions #4

Updated by Victor Julien almost 12 years ago

  • Status changed from New to Closed

Confirmed fixed with latest master.

Actions

Also available in: Atom PDF