Project

General

Profile

Actions

Bug #29

closed

Abort inside of StreamTcpSegmentDataReplace when processing the attached pcap

Added by Will Metcalf almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Running the attached pcap through the engine with or without rules loaded produces the following error and then aborts.
suricata: stream-tcp-reassemble.c:1540: StreamTcpSegmentDataReplace: Assertion `!(len + dst_pos > dst_seg->payload_len)' failed.
Aborted (core dumped)

The about happens in this block of code in stream-tcp-reassemble.c

BUG_ON(len + dst_pos > dst_seg->payload_len);
for (seq = start_point; SEQ_LT(seq, (start_point + len)); seq++) {
if (dst_pos >= dst_seg->payload_len)
abort();
dst_seg->payload[dst_pos] = src_seg->payload[s_cnt];
dst_pos++;
s_cnt++;
}
}

coz@coz-desktop:~/downloads/oisfnew$ gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /home/coz/downloads/oisfnew/src/suricata...done.
[New Thread 11742]
[New Thread 11753]
[New Thread 11752]
[New Thread 11748]
[New Thread 11749]
[New Thread 11750]
[New Thread 11751]
[New Thread 11754]
[New Thread 11746]
[New Thread 11744]
[New Thread 11747]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `src/suricata c ../suricata117.yaml -r defconctfsegv-tcp-stream0and1.pcap -l ./'.
Program terminated with signal 6, Aborted.
#0 0x00007fed2e9c54b5 in *GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt full
#0 0x00007fed2e9c54b5 in *_GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
pid = <value optimized out>
selftid = <value optimized out>
#1 0x00007fed2e9c8f50 in *
_GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0x4a1e78, sa_sigaction = 0x4a1e78}, sa_mask = {__val = {140656667031624, 140656643628064, 1540, 140656643628304, 140656666180038, 206158430232, 140656643628320, 140656643628096,
140656666090920, 206158430256, 140656643628344, 140656459099232, 10, 8028925695096663399, 2821908023413269601, 140735488579067}}, sa_flags = 783046899, sa_restorer = 0x4a1c20}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007fed2e9be481 in *__GI
_assert_fail (assertion=0x4a1e78 "!(len + dst_pos > dst_seg
>payload_len)", file=<value optimized out>, line=1540, function=0x4a1ef0 "StreamTcpSegmentDataReplace") at assert.c:81
buf = 0x7fed2247ac60 "suricata: stream-tcp-reassemble.c:1540: StreamTcpSegmentDataReplace: Assertion `!(len + dst_pos > dst_seg->payload_len)' failed.\n"
#3 0x000000000047ca4b in StreamTcpSegmentDataReplace (dst_seg=0x7fed20ddef20, src_seg=0x7fed20e2cb30, start_point=1560103805, len=65480) at stream-tcp-reassemble.c:1540
seq = 1560103760
s_cnt = 0
dst_pos = 45
PRETTY_FUNCTION = "StreamTcpSegmentDataReplace"
#4 0x000000000047a41c in HandleSegmentStartsBeforeListSegment (stream=0x7fed20d016f8, list_seg=0x7fed20daa400, seg=0x7fed20e2cb30, os_policy=0 '\000') at stream-tcp-reassemble.c:659
new_seg = 0x7fed20ddef20
copy_len = 65480
overlap = 45
packet_length = 200
overlap_point = 1560103760
end_before = 0 '\000'
end_after = 1 '\001'
end_same = 0 '\000'
FUNCTION = "HandleSegmentStartsBeforeListSegment"
#5 0x00000000004790fc in ReassembleInsertSegment (stream=0x7fed20d016f8, seg=0x7fed20e2cb30) at stream-tcp-reassemble.c:353
list_seg = 0x7fed20daa400
os_policy = 0 '\000'
ret_value = 0
return_seg = 0 '\000'
FUNCTION = "ReassembleInsertSegment"
#6 0x000000000047b32b in StreamTcpReassembleHandleSegmentHandleData (ssn=0x7fed20d016f0, stream=0x7fed20d016f8, p=0x16c81c0) at stream-tcp-reassemble.c:1096
seg = 0x7fed20e2cb30
FUNCTION = "StreamTcpReassembleHandleSegmentHandleData"
#7 0x000000000047c7df in StreamTcpReassembleHandleSegment (ra_ctx=0x7fed20000a30, ssn=0x7fed20d016f0, stream=0x7fed20d016f8, p=0x16c81c0) at stream-tcp-reassemble.c:1483
FUNCTION = "StreamTcpReassembleHandleSegment"
#8 0x0000000000476078 in HandleEstablishedPacketToClient (ssn=0x7fed20d016f0, p=0x16c81c0, stt=0x1f813b0) at stream-tcp.c:1315
No locals.
#9 0x0000000000476150 in StreamTcpPacketStateEstablished (tv=0x1c606e0, p=0x16c81c0, stt=0x1f813b0, ssn=0x7fed20d016f0) at stream-tcp.c:1378
No locals.
#10 0x0000000000477f94 in StreamTcpPacket (tv=0x1c606e0, p=0x16c81c0, stt=0x1f813b0) at stream-tcp.c:2267
ssn = 0x7fed20d016f0
#11 0x0000000000478165 in StreamTcp (tv=0x1c606e0, p=0x16c81c0, data=0x1f813b0, pq=0x1c60a90) at stream-tcp.c:2322
stt = 0x1f813b0
ret = TM_ECODE_OK
#12 0x000000000046a0ef in TmThreadsSlot1 (td=0x1c606e0) at tm-threads.c:325
tv = 0x1c606e0
s = 0x1c60a60
p = 0x16c81c0
run = 1 '\001'
r = TM_ECODE_OK
#13 0x00007fed2f156a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fed2d477910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140656643635472, 9044115567066294078, 140735488568832, 0, 0, 3, 9054067320305932482, -9054072422990010562}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
---Type <return> to continue, or q <return> to quit--

robust = <value optimized out>
#14 0x00007fed2ea717bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#15 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)


Files

defconctfsegv-tcp-stream0and1.pcap (31.5 KB) defconctfsegv-tcp-stream0and1.pcap fuzzed defcon 17 ctf traffic causes abort in stream reassembly Will Metcalf, 12/30/2009 11:29 AM
0001-bug-29-patch.patch (2.31 KB) 0001-bug-29-patch.patch Gurvinder Singh, 12/30/2009 08:50 PM
Actions #1

Updated by Gurvinder Singh almost 13 years ago

The bug was caused by wrong copy_len initialization for replacing the data. The patch has been attached for it.

Actions #2

Updated by Victor Julien almost 13 years ago

  • Status changed from Assigned to Closed

Patch applied, thanks Gurvinder.

Actions

Also available in: Atom PDF