Project

General

Profile

Bug #2437

rust/dns: Core Dump with malformed traffic

Added by Nick Price about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Experiencing a panic with malformed DNS traffic. Here's the relevant trace data. Looking at dns.rs, nothing really jumps out at me that seems like it'd cause a panic here.

I'll keep digging and see if I can come up with anything further.

#10 0x000000000070d637 in core::panicking::panic () at /checkout/src/libcore/panicking.rs:51
No locals.
#11 0x00000000006028ff in suricata::dns::dns::{{impl}}::set_event (self=0x7fb97edc9ec0, event=MalformedData) at src/dns/dns.rs:358
        tx = 0x7fb97c9ada98
        len = 2
        self = 0x7fb97edc9ec0
        event = MalformedData
#12 0x000000000060383b in suricata::dns::dns::{{impl}}::parse_response (self=0x7fb97edc9ec0, input=...) at src/dns/dns.rs:421
        response = {header = {tx_id = 55792, flags = 31898, questions = 32697, answer_rr = 0, authority_rr = 56128, additional_rr = 31898}, queries = {buf = {ptr = {pointer = {__0 = 0x2}, _marker = {<No data fields>}}, cap = 140434636200768, a = {<No data fields>}}, 
            len = 140434810584624}, answers = {buf = {ptr = {pointer = {__0 = 0x6010bd <core::slice::{{impl}}::iter_mut<suricata::dns::dns::DNSTransaction>+269>}, _marker = {<No data fields>}}, cap = 140434810584736, a = {<No data fields>}}, len = 6630918}, authorities = {
            buf = {ptr = {pointer = {__0 = 0x2}, _marker = {<No data fields>}}, cap = 140434636200432, a = {<No data fields>}}, len = 140434636200432}}
        self = 0x7fb97edc9ec0
        input = {data_ptr = 0x7fb9fc0217b6 "\230A\250\a", length = 512}
#13 0x000000000060496c in suricata::dns::dns::rs_dns_parse_response (_flow=0x7fb76d3ecfe0, state=0x7fb97edc9ec0, _pstate=0x7fb97da33990, input=0x7fb9fc0217b6 "\230A\250\a", input_len=512, _data=0x0) at src/dns/dns.rs:613
        buf = {data_ptr = 0x7fb9fc0217b6 "\230A\250\a", length = 512}
        _flow = 0x7fb76d3ecfe0
        state = 0x7fb97edc9ec0
        _data = 0x0
        _pstate = 0x7fb97da33990
        input = 0x7fb9fc0217b6 "\230A\250\a" 
        input_len = 512
#1

Updated by Nick Price about 3 years ago

Forgot to add, this is 4.0.3

#2

Updated by Jason Ish about 3 years ago

Do you have a pcap that demonstrates this?

Thanks.

#3

Updated by Nick Price about 3 years ago

Haven't been able to get one thus far because I only have a four-hour window and this happened overnight, but I'm going to keep my eye on it and try to pull pcaps if I see it fall over again.

#4

Updated by Jason Ish about 3 years ago

Did you get a panic message? Something like:

thread '<unnamed>' panicked at 'attempt to add with overflow', src/dns/dns.rs:358:9

An overflow is the only case I can think of that would cause a panic at this line.

#5

Updated by Jason Ish about 3 years ago

Nick, after some further thought, you must be seeing a lot of malformed DNS traffic as its hitting 65k per DNS state. If you are able to, even if privately, I'm wondering if you could share a sample of your DNS traffic for testing. Maybe its not corrupt and just been decoded as corrupt. Or it could actually be corrupt, or something thats not DNS, but looks close enough to trigger the parser.

#6

Updated by Jason Ish about 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
#7

Updated by Victor Julien about 3 years ago

  • Description updated (diff)
  • Target version set to 4.1beta1
#8

Updated by Victor Julien about 3 years ago

  • Subject changed from Core Dump with malformed DNS traffic to rust/dns: Core Dump with malformed traffic
#9

Updated by Victor Julien about 3 years ago

  • Status changed from Assigned to Closed

Also available in: Atom PDF