Actions
Bug #2999
closedAddressSanitizer: heap-buffer-overflow in HTPParseContentRange
Affected Versions:
Effort:
Difficulty:
Label:
Description
==11212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000059c40 at pc 0x55555571f4ee bp 0x7fffdefa16f0 sp 0x7fffdefa16e0 READ of size 1 at 0x604000059c40 thread T6 (W#05) #0 0x55555571f4ed in HTPParseContentRange /home/victor/dev/suricata/src/app-layer-htp-file.c:209 #1 0x55555571f6ba in HTPFileSetRange /home/victor/dev/suricata/src/app-layer-htp-file.c:244 #2 0x555555711f2f in HtpResponseBodyHandle /home/victor/dev/suricata/src/app-layer-htp.c:1674 #3 0x5555557137e2 in HTPCallbackResponseBodyData /home/victor/dev/suricata/src/app-layer-htp.c:1904 #4 0x555555ce1a2b in htp_hook_run_all /home/victor/dev/suricata/libhtp/htp/htp_hooks.c:127 #5 0x555555cf5ec4 in htp_tx_res_process_body_data_ex /home/victor/dev/suricata/libhtp/htp/htp_transaction.c:843 #6 0x555555ced925 in htp_connp_RES_BODY_IDENTITY_CL_KNOWN /home/victor/dev/suricata/libhtp/htp/htp_response.c:464 #7 0x555555cf1d4c in htp_connp_res_data /home/victor/dev/suricata/libhtp/htp/htp_response.c:1139 #8 0x55555570de4b in HTPHandleResponseData /home/victor/dev/suricata/src/app-layer-htp.c:840 #9 0x555555732bb1 in AppLayerParserParse /home/victor/dev/suricata/src/app-layer-parser.c:1185 #10 0x555555660f56 in TCPProtoDetect /home/victor/dev/suricata/src/app-layer.c:442 #11 0x555555661984 in AppLayerHandleTCPData /home/victor/dev/suricata/src/app-layer.c:601 #12 0x555555b630a3 in ReassembleUpdateAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1064 #13 0x555555b635db in StreamTcpReassembleAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1134 #14 0x555555b66c2e in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1700 #15 0x555555b66ec6 in StreamTcpReassembleHandleSegment /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1743 #16 0x555555b2183f in HandleEstablishedPacketToServer /home/victor/dev/suricata/src/stream-tcp.c:2224 #17 0x555555b261e6 in StreamTcpPacketStateEstablished /home/victor/dev/suricata/src/stream-tcp.c:2598 #18 0x555555b4210b in StreamTcpStateDispatch /home/victor/dev/suricata/src/stream-tcp.c:4617 #19 0x555555b4374a in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4798 #20 0x555555b45257 in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:5134 #21 0x5555559ba95b in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:216 #22 0x555555b902e3 in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128 #23 0x555555b925a9 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:583 #24 0x7ffff5bd06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #25 0x7ffff452f88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e) 0x604000059c40 is located 0 bytes to the right of 48-byte region [0x604000059c10,0x604000059c40) allocated by thread T6 (W#05) here: #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x555555cdaa04 in bstr_alloc /home/victor/dev/suricata/libhtp/htp/bstr.c:44 #2 0x555555cdb34a in bstr_dup_mem /home/victor/dev/suricata/libhtp/htp/bstr.c:255 #3 0x555555cf2b53 in htp_parse_response_header_generic /home/victor/dev/suricata/libhtp/htp/htp_response_generic.c:221 #4 0x555555cf2fe5 in htp_process_response_header_generic /home/victor/dev/suricata/libhtp/htp/htp_response_generic.c:245 #5 0x555555cf113d in htp_connp_RES_HEADERS /home/victor/dev/suricata/libhtp/htp/htp_response.c:824 #6 0x555555cf1d4c in htp_connp_res_data /home/victor/dev/suricata/libhtp/htp/htp_response.c:1139 #7 0x55555570de4b in HTPHandleResponseData /home/victor/dev/suricata/src/app-layer-htp.c:840 #8 0x555555732bb1 in AppLayerParserParse /home/victor/dev/suricata/src/app-layer-parser.c:1185 #9 0x555555660f56 in TCPProtoDetect /home/victor/dev/suricata/src/app-layer.c:442 #10 0x555555661984 in AppLayerHandleTCPData /home/victor/dev/suricata/src/app-layer.c:601 #11 0x555555b630a3 in ReassembleUpdateAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1064 #12 0x555555b635db in StreamTcpReassembleAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1134 #13 0x555555b66c2e in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1700 #14 0x555555b66ec6 in StreamTcpReassembleHandleSegment /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1743 #15 0x555555b2183f in HandleEstablishedPacketToServer /home/victor/dev/suricata/src/stream-tcp.c:2224 #16 0x555555b261e6 in StreamTcpPacketStateEstablished /home/victor/dev/suricata/src/stream-tcp.c:2598 #17 0x555555b4210b in StreamTcpStateDispatch /home/victor/dev/suricata/src/stream-tcp.c:4617 #18 0x555555b4374a in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4798 #19 0x555555b45257 in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:5134 #20 0x5555559ba95b in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:216 #21 0x555555b902e3 in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128 #22 0x555555b925a9 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:583 #23 0x7ffff5bd06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) Thread T6 (W#05) created by T0 (Suricata-Main) here: #0 0x7ffff6e51d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f) #1 0x555555b9a9af in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1880 #2 0x555555abd42d in RunModeFilePcapAutoFp /home/victor/dev/suricata/src/runmode-pcap-file.c:255 #3 0x555555accb04 in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:379 #4 0x555555b8577c in main /home/victor/dev/suricata/src/suricata.c:2995 #5 0x7ffff442fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/victor/dev/suricata/src/app-layer-htp-file.c:209 in HTPParseContentRange Shadow bytes around the buggy address: 0x0c0880003330: fa fa 00 00 00 00 07 fa fa fa 00 00 00 00 05 fa 0x0c0880003340: fa fa 00 00 00 00 07 fa fa fa 00 00 00 00 05 fa 0x0c0880003350: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 05 fa 0x0c0880003360: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 06 fa 0x0c0880003370: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 05 fa =>0x0c0880003380: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 05 fa 0x0c0880003390: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 00 03 0x0c08800033a0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 02 fa 0x0c08800033b0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 02 fa 0x0c08800033c0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 05 fa 0x0c08800033d0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 02 fa
(gdb) print *rawvalue $3 = {len = 24, size = 24, realptr = 0x0} (gdb) p *((char *)rawvalue+24)@24 $9 = "bytes 15335424-27514354/"
Actions