Project

General

Profile

Bug #2737

Invalid memory read on malformed rule with Lua script

Added by Joe Johnson 6 months ago. Updated about 7 hours ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When a trailing semicolon is omitted from a rule with a lua script, Suricata still tries to load a lua script from the wrong memory location in the process. On 4.0 and earlier, this location is semi-random and doesn't always repro. On 4.1, the location seems consistent, but it still incorrect. On 4.0 and earlier, this can lead to segmentation faults if the memory is not a valid location.

Sample rule:
alert http any any -> any any (msg:"Test Lua on Load Failure"; content:"|00 00 00 00|"; lua:lua/test.lua; rev:1)

Sample Error Output:
[56494] 11/12/2018 -- 21:56:15 - (detect-lua.c:623) <Error> (DetectLuaThreadInit) -- [ERRCODE: SC_ERR_LUA_ERROR(212)] - couldn't load file: cannot open n/hta
: No such file or directory

History

#1

Updated by Victor Julien 6 months ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien

Thanks Joe, bug confirmed.

#2

Updated by Andreas Herz about 7 hours ago

  • Target version set to TBD

Also available in: Atom PDF