Bug #2737
closedInvalid memory read on malformed rule with Lua script
Description
When a trailing semicolon is omitted from a rule with a lua script, Suricata still tries to load a lua script from the wrong memory location in the process. On 4.0 and earlier, this location is semi-random and doesn't always repro. On 4.1, the location seems consistent, but it still incorrect. On 4.0 and earlier, this can lead to segmentation faults if the memory is not a valid location.
Sample rule:
alert http any any -> any any (msg:"Test Lua on Load Failure"; content:"|00 00 00 00|"; lua:lua/test.lua; rev:1)
Sample Error Output:
[56494] 11/12/2018 -- 21:56:15 - (detect-lua.c:623) <Error> (DetectLuaThreadInit) -- [ERRCODE: SC_ERR_LUA_ERROR(212)] - couldn't load file: cannot open n/hta
: No such file or directory
Updated by Victor Julien almost 6 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
Thanks Joe, bug confirmed.
Updated by Victor Julien about 5 years ago
- Target version changed from TBD to 6.0.0beta1
Updated by Victor Julien about 5 years ago
- Has duplicate Bug #3273: asan: heap-use-after-fee in DetectLuaThreadInit added
Updated by Victor Julien over 4 years ago
- Status changed from Assigned to In Review
- Assignee changed from Victor Julien to Jeff Lucovsky
- Affected Versions 4.1.7, 5.0.2 added
- Label Needs backport to 4.1, Needs backport to 5.0 added
Updated by Jeff Lucovsky over 4 years ago
- Copied to Bug #3644: Invalid memory read on malformed rule with Lua script added
Updated by Jeff Lucovsky over 4 years ago
- Copied to Bug #3645: Invalid memory read on malformed rule with Lua script added
Updated by Jeff Lucovsky over 4 years ago
- Status changed from In Review to Closed