Project

General

Profile

Actions

Bug #23

closed

Segv occurs occasionally inside of DetectHttpCookieMatch

Added by Will Metcalf over 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I was occasionally get segmentation faults inside of DetectHttpCookieMatch. I created a perl script to run the engine in a loop until an irregular exit value was detect. Here we ran 69 times without an issue and then on the 70th run we had a segmentation fault. I have attached the script the rules file and the pcap. Maybe a threading issue as it only happens occasionally.

we have run with success 68 times
/home/coz/downloads/dc17ctf-httpcookie-segv.pcap
running ulimit c unlimited; src/suricata -c suricata117.yaml -r /home/coz/downloads/dc17ctf-httpcookie-segv.pcap -l ./ -s /home/coz/downloads/current-all-blah.rules
exit value 0
we have run with success 69 times
/home/coz/downloads/dc17ctf-httpcookie-segv.pcap
running ulimit -c unlimited; src/suricata -c suricata117.yaml -r /home/coz/downloads/dc17ctf-httpcookie-segv.pcap -l ./ -s /home/coz/downloads/current-all-blah.rules
exit value 139
core dump found core processesing
warning: Can't read pathname for load map: Input/output error.
core dump
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;.
Reading symbols from /home/coz/downloads/oisfnew/src/suricata...
done.
[New Thread 19673]
[New Thread 19668]
[New Thread 19666]
[New Thread 19676]
[New Thread 19656]
[New Thread 19667]
[New Thread 19672]
[New Thread 19674]
[New Thread 19670]
[New Thread 19675]
[New Thread 19671]
Reading symbols from /usr/lib/libhtp-0.1.so.1...
done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...
done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...
Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...
done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...
(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...
Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...
done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...
(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...
Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...
done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...
(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `src/suricata -c suricata117.yaml -r /home/coz/downloads/dc17ctf-httpcookie-segv'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000447475 in DetectHttpCookieMatch (t=0x7f97240128f0, det_ctx=0x7f9724012ba0, f=0x2806ae0, flags=4 '', state=0x29e8a470, s=0x4019590, m=0x4019e70) at detect-http-cookie.c:80
80 htp_tx_t *tx = list_get(htp_state
>connp->conn->transactions, 0);
#0 0x0000000000447475 in DetectHttpCookieMatch (t=0x7f97240128f0, det_ctx=0x7f9724012ba0, f=0x2806ae0, flags=4 '', state=0x29e8a470, s=0x4019590, m=0x4019e70) at detect-http-cookie.c:80
co = 0x4019d90
htp_state = 0x29e8a470
ret = 0
tx = 0x7f972a460f00
h = 0x2a298e0
#1 0x000000000041991e in SigMatchSignaturesAppLayer (th_v=0x7f97240128f0, de_ctx=0x2a298e0, det_ctx=0x7f9724012ba0, sgh=0x4651130, p=0x23f6cb0) at detect.c:527
match = 1
fmatch = 0
s = 0x4019590
sm = 0x4019e70
idx = 8731
sig = 11913
flags = 4 ''
alstate = 0x29e8a470
#2 0x000000000041a2b3 in SigMatchSignatures (th_v=0x7f97240128f0, de_ctx=0x2a298e0, det_ctx=0x7f9724012ba0, p=0x23f6cb0) at detect.c:786
match = 0
fmatch = 1
s = 0x40ffcb0
sm = 0x0
idx = 9413
sig = 12613
#3 0x000000000041a35a in Detect (tv=0x7f97240128f0, p=0x23f6cb0, data=0x7f9724012ba0, pq=0x7f97240129f0) at detect.c:823
det_ctx = 0x7f9724012ba0
de_ctx = 0x2a298e0
r = 32663
#4 0x000000000046842b in TmThreadsSlot1 (td=0x7f97240128f0) at tm-threads.c:325
tv = 0x7f97240128f0
s = 0x7f97240129c0
p = 0x23f6cb0
run = 1 ''
r = TM_ECODE_OK
#5 0x00007f972c942a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7f972a461910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {
140287226026256,
-5743550190939853706,
140736003484000,
0,
0,
3,
5720867868372315254,
5720863042702617718},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0,
0x0}, data = {
prev = 0x0, cleanup = 0x0,
canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#6 0x00007f972c25d7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#7 0x0000000000000000 in ?? ()


Files

DetectHttpCookieMatch.tar.gz (1.05 MB) DetectHttpCookieMatch.tar.gz Will Metcalf, 12/26/2009 04:48 PM
0002-fixed-23-bug.patch (804 Bytes) 0002-fixed-23-bug.patch Gurvinder Singh, 12/27/2009 05:57 AM
bug23-htp.patch (393 Bytes) bug23-htp.patch Gurvinder Singh, 12/27/2009 05:57 AM
anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08 (1.4 MB) anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08 evil fingers pcap Will Metcalf, 12/27/2009 09:28 AM
wirefuzz.pl (3.99 KB) wirefuzz.pl updated version of the perl script Will Metcalf, 12/27/2009 09:28 AM
Actions

Also available in: Atom PDF