Project

General

Profile

Actions

Bug #2999

closed

AddressSanitizer: heap-buffer-overflow in HTPParseContentRange

Added by Victor Julien about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

==11212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000059c40 at pc 0x55555571f4ee bp 0x7fffdefa16f0 sp 0x7fffdefa16e0                                                                                                                                                                                                                                                    
READ of size 1 at 0x604000059c40 thread T6 (W#05)
    #0 0x55555571f4ed in HTPParseContentRange /home/victor/dev/suricata/src/app-layer-htp-file.c:209
    #1 0x55555571f6ba in HTPFileSetRange /home/victor/dev/suricata/src/app-layer-htp-file.c:244
    #2 0x555555711f2f in HtpResponseBodyHandle /home/victor/dev/suricata/src/app-layer-htp.c:1674
    #3 0x5555557137e2 in HTPCallbackResponseBodyData /home/victor/dev/suricata/src/app-layer-htp.c:1904
    #4 0x555555ce1a2b in htp_hook_run_all /home/victor/dev/suricata/libhtp/htp/htp_hooks.c:127
    #5 0x555555cf5ec4 in htp_tx_res_process_body_data_ex /home/victor/dev/suricata/libhtp/htp/htp_transaction.c:843
    #6 0x555555ced925 in htp_connp_RES_BODY_IDENTITY_CL_KNOWN /home/victor/dev/suricata/libhtp/htp/htp_response.c:464
    #7 0x555555cf1d4c in htp_connp_res_data /home/victor/dev/suricata/libhtp/htp/htp_response.c:1139
    #8 0x55555570de4b in HTPHandleResponseData /home/victor/dev/suricata/src/app-layer-htp.c:840
    #9 0x555555732bb1 in AppLayerParserParse /home/victor/dev/suricata/src/app-layer-parser.c:1185
    #10 0x555555660f56 in TCPProtoDetect /home/victor/dev/suricata/src/app-layer.c:442
    #11 0x555555661984 in AppLayerHandleTCPData /home/victor/dev/suricata/src/app-layer.c:601
    #12 0x555555b630a3 in ReassembleUpdateAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1064
    #13 0x555555b635db in StreamTcpReassembleAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1134
    #14 0x555555b66c2e in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1700
    #15 0x555555b66ec6 in StreamTcpReassembleHandleSegment /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1743
    #16 0x555555b2183f in HandleEstablishedPacketToServer /home/victor/dev/suricata/src/stream-tcp.c:2224
    #17 0x555555b261e6 in StreamTcpPacketStateEstablished /home/victor/dev/suricata/src/stream-tcp.c:2598
    #18 0x555555b4210b in StreamTcpStateDispatch /home/victor/dev/suricata/src/stream-tcp.c:4617
    #19 0x555555b4374a in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4798
    #20 0x555555b45257 in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:5134
    #21 0x5555559ba95b in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:216
    #22 0x555555b902e3 in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128
    #23 0x555555b925a9 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:583
    #24 0x7ffff5bd06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #25 0x7ffff452f88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x604000059c40 is located 0 bytes to the right of 48-byte region [0x604000059c10,0x604000059c40)
allocated by thread T6 (W#05) here:
    #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x555555cdaa04 in bstr_alloc /home/victor/dev/suricata/libhtp/htp/bstr.c:44
    #2 0x555555cdb34a in bstr_dup_mem /home/victor/dev/suricata/libhtp/htp/bstr.c:255
    #3 0x555555cf2b53 in htp_parse_response_header_generic /home/victor/dev/suricata/libhtp/htp/htp_response_generic.c:221
    #4 0x555555cf2fe5 in htp_process_response_header_generic /home/victor/dev/suricata/libhtp/htp/htp_response_generic.c:245
    #5 0x555555cf113d in htp_connp_RES_HEADERS /home/victor/dev/suricata/libhtp/htp/htp_response.c:824
    #6 0x555555cf1d4c in htp_connp_res_data /home/victor/dev/suricata/libhtp/htp/htp_response.c:1139
    #7 0x55555570de4b in HTPHandleResponseData /home/victor/dev/suricata/src/app-layer-htp.c:840
    #8 0x555555732bb1 in AppLayerParserParse /home/victor/dev/suricata/src/app-layer-parser.c:1185
    #9 0x555555660f56 in TCPProtoDetect /home/victor/dev/suricata/src/app-layer.c:442
    #10 0x555555661984 in AppLayerHandleTCPData /home/victor/dev/suricata/src/app-layer.c:601
    #11 0x555555b630a3 in ReassembleUpdateAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1064
    #12 0x555555b635db in StreamTcpReassembleAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1134
    #13 0x555555b66c2e in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1700
    #14 0x555555b66ec6 in StreamTcpReassembleHandleSegment /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1743
    #15 0x555555b2183f in HandleEstablishedPacketToServer /home/victor/dev/suricata/src/stream-tcp.c:2224
    #16 0x555555b261e6 in StreamTcpPacketStateEstablished /home/victor/dev/suricata/src/stream-tcp.c:2598
    #17 0x555555b4210b in StreamTcpStateDispatch /home/victor/dev/suricata/src/stream-tcp.c:4617
    #18 0x555555b4374a in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4798
    #19 0x555555b45257 in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:5134
    #20 0x5555559ba95b in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:216
    #21 0x555555b902e3 in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128
    #22 0x555555b925a9 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:583
    #23 0x7ffff5bd06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T6 (W#05) created by T0 (Suricata-Main) here:
    #0 0x7ffff6e51d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x555555b9a9af in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1880
    #2 0x555555abd42d in RunModeFilePcapAutoFp /home/victor/dev/suricata/src/runmode-pcap-file.c:255
    #3 0x555555accb04 in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:379
    #4 0x555555b8577c in main /home/victor/dev/suricata/src/suricata.c:2995
    #5 0x7ffff442fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/victor/dev/suricata/src/app-layer-htp-file.c:209 in HTPParseContentRange
Shadow bytes around the buggy address:
  0x0c0880003330: fa fa 00 00 00 00 07 fa fa fa 00 00 00 00 05 fa
  0x0c0880003340: fa fa 00 00 00 00 07 fa fa fa 00 00 00 00 05 fa
  0x0c0880003350: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 05 fa
  0x0c0880003360: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 06 fa
  0x0c0880003370: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 05 fa
=>0x0c0880003380: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 05 fa
  0x0c0880003390: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 00 03
  0x0c08800033a0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 02 fa
  0x0c08800033b0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 02 fa
  0x0c08800033c0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 05 fa
  0x0c08800033d0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 02 fa
(gdb) print *rawvalue
$3 = {len = 24, size = 24, realptr = 0x0}
(gdb) p *((char *)rawvalue+24)@24
$9 = "bytes 15335424-27514354/" 
Actions

Also available in: Atom PDF