Project

General

Profile

Actions

Bug #2288

closed

Suricata segfaults on ICMP and flowint check

Added by Edward Fjellskål almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using only this rule on Suricata v3.2.3, v4.0.0 and v4.0.1 :

alert icmp any any -> any any (msg:"Dump Core!"; flowint:segfault,isset; classtype:trojan-activity; sid:31337; rev:1337;)

Parsing a pcap with icmp traffic makes suricata segfault:

suricata: line 10: 28912 Segmentation fault (core dumped) $BIN $OPTS -c $CONF -r $1

Compiled:
$ ./configure --prefix=/somepath/ --enable-profiling --enable-lua

Running:
$ ./path/to/suricata -c suricata.yaml -r icmp.pcap

Actions #1

Updated by Victor Julien almost 4 years ago

ASAN:SIGSEGV
=================================================================
==62358==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000c0 (pc 0x000000d74332 bp 0x7fe23f1e0ba0 sp 0x7fe23f1e0b80 T1)
    #0 0xd74331 in FlowVarGet /home/victor/devel/eidps/src/flow-var.c:77
    #1 0xb5a0c0 in DetectFlowintMatch /home/victor/devel/eidps/src/detect-flowint.c:128
    #2 0x80078a in SigMatchSignatures /home/victor/devel/eidps/src/detect.c:1329
    #3 0x801f4c in DetectNoFlow /home/victor/devel/eidps/src/detect.c:1524
    #4 0x8028d2 in Detect /home/victor/devel/eidps/src/detect.c:1584
    #5 0xd7876b in FlowWorker /home/victor/devel/eidps/src/flow-worker.c:257
    #6 0x108c18a in TmThreadsSlotVarRun /home/victor/devel/eidps/src/tm-threads.c:130
    #7 0xef78c8 in TmThreadsSlotProcessPkt /home/victor/devel/eidps/src/tm-threads.h:147
    #8 0xef89c3 in PcapFileCallbackLoop /home/victor/devel/eidps/src/source-pcap-file.c:178
    #9 0x7fe24634fac3  (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1eac3)
    #10 0xef914a in ReceivePcapFileLoop /home/victor/devel/eidps/src/source-pcap-file.c:211
    #11 0x108df10 in TmThreadsSlotPktAcqLoop /home/victor/devel/eidps/src/tm-threads.c:334
    #12 0x7fe2458e76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #13 0x7fe2449e73dc in clone (/lib/x86_64-linux-gnu/libc.so.6+0x1073dc)
Actions #2

Updated by Andreas Herz almost 4 years ago

  • Target version set to TBD
Actions #3

Updated by Victor Julien almost 4 years ago

  • Status changed from New to Assigned
  • Target version changed from TBD to 4.1beta1
Actions #4

Updated by Victor Julien almost 4 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF