Project

General

Profile

Actions

Bug #2498

closed

Lua file output script causes a segfault when protocol is not HTTP

Added by Elazar Broad almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When Suricata is configured with a Lua output script that calls SCFileInfo(), any file that is transferred over any protocol other than HTTP causes Suricata to segfault. This is due to the fact that in output-lua.c/LuaFileLogger() around line 326, HTTP is the hard-coded protocol for a call to AppLayerParserGetTx(). This in turn triggers a non-existent index into htp_list_array_get() when the tx hasn't passed through libhtp - due to it being non-HTTP traffic.

(gdb) bt
#0  0x00000371ad6d9a22 in htp_list_array_get (l=0x3719472da30, idx=<optimized out>) at htp_list.c:92
#1  0x0000000000482f02 in AppLayerParserGetTx (ipproto=<optimized out>, alproto=alproto@entry=1, alstate=alstate@entry=0x3719478aa80, tx_id=0) at app-layer-parser.c:979
#2  0x0000000000609b2d in LuaFileLogger (tv=0x7563590, thread_data=0x37194715a10, p=0x371944d8170, ff=0x3719482e330) at output-lua.c:326
#3  0x00000000005e3475 in OutputFileLogFfc (tv=tv@entry=0x7563590, op_thread_data=op_thread_data@entry=0x37194705990, p=p@entry=0x371944d8170, ffc=ffc@entry=0x37194798ea0, file_close=file_close@entry=false,
    file_trunc=file_trunc@entry=false) at output-file.c:130
#4  0x00000000005e3929 in OutputFileLog (tv=0x7563590, p=0x371944d8170, thread_data=0x37194705990) at output-file.c:179
#5  0x00000000005e247d in OutputLoggerLog (tv=tv@entry=0x7563590, p=p@entry=0x371944d8170, thread_data=<optimized out>) at output.c:917
#6  0x00000000005be547 in FlowWorker (tv=0x7563590, p=0x371944d8170, data=0x371944fea60, preq=0x689f070, unused=<optimized out>) at flow-worker.c:263
#7  0x00000000006b25bb in TmThreadsSlotVarRun (tv=tv@entry=0x7563590, p=p@entry=0x371944d8170, slot=slot@entry=0x431b140) at tm-threads.c:145
#8  0x0000000000634e1e in TmThreadsSlotProcessPkt (p=0x371944d8170, s=0x431b140, tv=0x7563590) at tm-threads.h:147
#9  AFPReadFromRing (ptv=0x371944d8b20) at source-af-packet.c:1011
#10 0x0000000000636845 in ReceiveAFPLoop (tv=0x7563590, data=0x371944d8b20, slot=<optimized out>) at source-af-packet.c:1559
#11 0x00000000006b3b3c in TmThreadsSlotPktAcqLoop (td=0x7563590) at tm-threads.c:348
#12 0x00000371ac1ec637 in start_thread () from /lib64/libpthread.so.0
#13 0x00000371a9386e8f in clone () from /lib64/libc.so.6

Steps to reproduce:
1. Build a (skeleton) Lua output script containing an SCFileInfo() call in log()
2. Enable it
3. Transfer a file over any protocol other than HTTP, i.e. ftp://ftp.cisco.com/pub/mibs/README-MIB.txt

Thanks,
Elazar

Actions

Also available in: Atom PDF