Bug #3277
closedsegfault when test a nfs pcap file
Description
Hi, everyone:
When I test a nfs pcap file, it make a segfault. Here's the detail.
It may test nfs with UDP protocol, but why crash in TcpSessionSetReassemblyDepth. This is very strange.
version info:
This is Suricata version 5.0.0 RELEASE
cargo 1.38.0 (23ef9a4ef 2019-08-20)
CentOS Linux release 7.6.1810 (Core)
Pcap file: nfsv2.pcap or https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=nfsv2.pcap.gz
May this report will help you to fix the bug.
Thanks and Regards.
Files
Updated by Victor Julien about 5 years ago
It crashes while evaluating a rule, do you know which rule? Can you share the filestore rules you use?
Updated by Victor Julien about 5 years ago
- Target version set to 5.0.1
Ah never mind, I can reproduce it with
alert nfs any any -> any any (msg:"File found within NFS and stored"; filestore; sid:33; rev:1;)
from rules/files.rules.
Updated by Victor Julien about 5 years ago
- Copied to Bug #3278: segfault when test a nfs pcap file (4.1.x) added
Updated by lei wang about 5 years ago
yes, as same as I test with this simple rule: "alert nfs any any -> any any (msg:"FILE store in NFS"; filestore; sid:3; rev:1;)".
Updated by Victor Julien about 5 years ago
Thanks. I've created a ticket for 4.1.x as well as it has the same issue (if RUST is enabled).
Updated by Victor Julien about 5 years ago
Can you try:
commit fdfc1715adc55f7e710bb6d5426a256c4d56199b (HEAD -> fix/nfs-filestore/v1)
Author: Victor Julien <victor@inliniac.net>
Date: Thu Oct 24 14:51:48 2019 +0200
filestore: don't assume flow is TCP
Filestore can be used by UDP based protocols as well. NFSv2 is one
that Suricata supports.
Bug #3277.
diff --git a/src/detect-filestore.c b/src/detect-filestore.c
index a4bdc249d..c2d1340c2 100644
--- a/src/detect-filestore.c
+++ b/src/detect-filestore.c
@@ -209,10 +209,11 @@ static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
#endif
}
- /* set filestore depth for stream reassembling */
- TcpSession *ssn = (TcpSession *)p->flow->protoctx;
- TcpSessionSetReassemblyDepth(ssn, FileReassemblyDepth());
-
+ if (p->proto == IPPROTO_TCP && p->flow->protoctx != NULL) {
+ /* set filestore depth for stream reassembling */
+ TcpSession *ssn = (TcpSession *)p->flow->protoctx;
+ TcpSessionSetReassemblyDepth(ssn, FileReassemblyDepth());
+ }
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
Updated by lei wang about 5 years ago
I test new version suricata with this fixed code just now. It work well. And I find the dump file with nfsv2.pcap and nfsv3.pcap. But please test more to make sure really no problem because I am a learner and know a little about it.
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed