Bug #287

New crash in htp stream code

Added by Victor Julien almost 3 years ago. Updated almost 3 years ago.

Status:ClosedStart date:05/02/2011
Priority:NormalDue date:
Assignee:Victor Julien% Done:

0%

Category:-
Target version:1.1beta3

Description

[Oisf-devel] New crash in htp stream code

Suricata has been pretty stable for a couple of weeks or so, but the
latest git updates on 29th and 30th April are now crashing after a while:

#0 0x00007f566636fa75 in raise () from /lib/libc.so.6
#1 0x00007f56663735c0 in abort () from /lib/libc.so.6
#2 0x00007f56663a94fb in ?? () from /lib/libc.so.6
#3 0x00007f56663b35b6 in ?? () from /lib/libc.so.6
#4 0x00007f56663b76d8 in ?? () from /lib/libc.so.6
#5 0x00007f56663b858e in malloc () from /lib/libc.so.6
#6 0x00007f56675930fd in bstr_alloc (len=5) at bstr.c:25
#7 0x00007f5667593149 in bstr_strdup_ex (b=0x7f562b7d3de0, offset=19600, len=6) at bstr.c:218
#8 0x00007f5667598078 in htp_normalize_parsed_uri (connp=0x7f5601183db0, incomplete=0x7f562b7d3c90, normalized=0x7f562b7d3c40)
at htp_util.c:1259
#9 0x00007f56675997fd in htp_connp_REQ_LINE (connp=0x7f5601183db0) at htp_request.c:605
#10 0x00007f5667599189 in htp_connp_req_data (connp=0x7f5601183db0, timestamp=19600, data=0x6 <Address 0x6 out of bounds>,
len=18446744073709551615) at htp_request.c:831
#11 0x00000000004ee2f1 in HTPHandleRequestData (f=0x1a440370, htp_state=0x7f564ade9640, pstate=0x7f564ade9698,
input=0x7f56641f0c60 "GET /%C4%C7%CA%C7%D2%BB%B6%CE%C9%EE%C7%E9/pic/item/1629f015b2cbaa07f3de32d9.jpg?v=tbs HTTP/1.1\r\nAccept:
output=0x7f56663ca880) at app-layer-htp.c:406
#12 0x00000000004ea4bf in AppLayerDoParse (f=0x4c8b, app_layer_state=0x4c90, parser_state=0x6,
input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=0, parser_idx=<value optimised out>, proto=1)
at app-layer-parser.c:676
#13 0x00000000004ea863 in AppLayerParse (f=0x1a440370, proto=<value optimised out>, flags=<value optimised out>,
input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=0) at app-layer-parser.c:885
#14 0x00000000004da664 in StreamTcpReassembleAppLayer (ra_ctx=<value optimised out>, ssn=<value optimised out>,
stream=<value optimised out>, p=<value optimised out>) at stream-tcp-reassemble.c:3008
#15 0x00000000004da8cf in StreamTcpReassembleHandleSegmentUpdateACK (ra_ctx=<value optimised out>, ssn=<value optimised out>,
stream=0x7f5654bb8038, p=<value optimised out>) at stream-tcp-reassemble.c:3393
#16 0x00000000004dbebe in StreamTcpReassembleHandleSegment (tv=0x67f3840, ra_ctx=0x6aa4740, ssn=0x7f5654bb7fe0,
stream=0x7f5654bb7fe8, p=0x0, pq=0x7f56663ca880) at stream-tcp-reassemble.c:3467
#17 0x00000000004d5f5a in HandleEstablishedPacketToClient (tv=0x67f3840, p=0x37ce790, stt=0x6b14130, ssn=0x7f5654bb7fe0,
pq=0x6b14138) at stream-tcp.c:1832
#18 StreamTcpPacketStateEstablished (tv=0x67f3840, p=0x37ce790, stt=0x6b14130, ssn=0x7f5654bb7fe0, pq=0x6b14138)
at stream-tcp.c:1961
#19 0x00000000004d762d in StreamTcpPacket (tv=0x67f3840, p=0x37ce790, data=0x6b14130, pq=<value optimised out>,
postpq=<value optimised out>) at stream-tcp.c:3304
#20 StreamTcp (tv=0x67f3840, p=0x37ce790, data=0x6b14130, pq=<value optimised out>, postpq=<value optimised out>)
at stream-tcp.c:3501
#21 0x00000000004c0f8e in TmThreadsSlot1 (td=0x67f3840) at tm-threads.c:356
#22 0x00007f5666b139ca in start_thread () from /lib/libpthread.so.0
#23 0x00007f566642270d in clone () from /lib/libc.so.6
#24 0x0000000000000000 in ?? ()

I've another almost identical crash, and also:

#0 0x00007f0a44172a75 in raise () from /lib/libc.so.6
#1 0x00007f0a441765c0 in abort () from /lib/libc.so.6
#2 0x00007f0a441ba214 in ?? () from /lib/libc.so.6
#3 0x00007f0a441bb58e in malloc () from /lib/libc.so.6
#4 0x00007f0a4539ea9e in htp_gzip_decompressor_create (connp=0x7f0a3e750ac0) at htp_decompressors.c:191
#5 0x00007f0a4539e06f in htp_connp_RES_BODY_DETERMINE (connp=0x7f0a3e750ac0) at htp_response.c:296
#6 0x00007f0a4539d2f9 in htp_connp_res_data (connp=0x7f0a3e750ac0, timestamp=19891, data=0x6 <Address 0x6 out of bounds>,
len=18446744073709551615) at htp_response.c:776
#7 0x00000000004edde0 in HTPHandleResponseData (f=<value optimised out>, htp_state=0x7f0a3e750aa0, pstate=0x7f0a3e751910,
input=0x6 <Address 0x6 out of bounds>, input_len=4294967295, output=0x7f0a44288ec6) at app-layer-htp.c:495
#8 0x00000000004ea4bf in AppLayerDoParse (f=0x4dae, app_layer_state=0x4db3, parser_state=0x6,
input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=1107252992, parser_idx=<value optimised out>,
proto=1) at app-layer-parser.c:676
#9 0x00000000004ea863 in AppLayerParse (f=0x7f0a3f640e40, proto=<value optimised out>, flags=<value optimised out>,
input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=1107252992) at app-layer-parser.c:885
#10 0x00000000004da6ee in StreamTcpReassembleAppLayer (ra_ctx=<value optimised out>, ssn=<value optimised out>,
stream=<value optimised out>, p=<value optimised out>) at stream-tcp-reassemble.c:3015
#11 0x00000000004da8cf in StreamTcpReassembleHandleSegmentUpdateACK (ra_ctx=<value optimised out>, ssn=<value optimised out>,
stream=0x7f0a0e030958, p=<value optimised out>) at stream-tcp-reassemble.c:3393
#12 0x00000000004dbebe in StreamTcpReassembleHandleSegment (tv=0x60ad840, ra_ctx=0x7f0a3c002230, ssn=0x7f0a0e030950,
stream=0x7f0a0e0309a8, p=0x7f0a41ff5700, pq=0x7f0a44288ec6) at stream-tcp-reassemble.c:3467
#13 0x00000000004d5f5a in HandleEstablishedPacketToClient (tv=0x60ad840, p=0x3091710, stt=0x63ce130, ssn=0x7f0a0e030950,
pq=0x63ce138) at stream-tcp.c:1832
#14 StreamTcpPacketStateEstablished (tv=0x60ad840, p=0x3091710, stt=0x63ce130, ssn=0x7f0a0e030950, pq=0x63ce138)
at stream-tcp.c:1961
#15 0x00000000004d762d in StreamTcpPacket (tv=0x60ad840, p=0x3091710, data=0x63ce130, pq=<value optimised out>,
postpq=<value optimised out>) at stream-tcp.c:3304
#16 StreamTcp (tv=0x60ad840, p=0x3091710, data=0x63ce130, pq=<value optimised out>, postpq=<value optimised out>)
at stream-tcp.c:3501
#17 0x00000000004c0f8e in TmThreadsSlot1 (td=0x60ad840) at tm-threads.c:356
#18 0x00007f0a449169ca in start_thread () from /lib/libpthread.so.0
#19 0x00007f0a4422570d in clone () from /lib/libc.so.6
#20 0x0000000000000000 in ?? ()

I've kept the core files, but have gone back to the pre-29th April
version for now.

Best Wishes,
Chris

History

#1 Updated by Victor Julien almost 3 years ago

  • Status changed from New to Closed

This is fixed in the current master.

Also available in: Atom PDF