https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022019-10-24T12:33:21ZOpen Information Security FoundationSuricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=143482019-10-24T12:33:21ZVictor Julienvictor@inliniac.net
<ul></ul><p>It crashes while evaluating a rule, do you know which rule? Can you share the filestore rules you use?</p> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=143492019-10-24T12:36:10ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> set to <i>5.0.1</i></li></ul><p>Ah never mind, I can reproduce it with<br /><pre>
alert nfs any any -> any any (msg:"File found within NFS and stored"; filestore; sid:33; rev:1;)
</pre><br />from rules/files.rules.</p> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=143502019-10-24T12:47:29ZVictor Julienvictor@inliniac.net
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/3278">Bug #3278</a>: segfault when test a nfs pcap file (4.1.x)</i> added</li></ul> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=143522019-10-24T12:48:18Zlei wang
<ul></ul><p>yes, as same as I test with this simple rule: "alert nfs any any -> any any (msg:"FILE store in NFS"; filestore; sid:3; rev:1;)".</p> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=143532019-10-24T12:50:30ZVictor Julienvictor@inliniac.net
<ul></ul><p>Thanks. I've created a ticket for 4.1.x as well as it has the same issue (if RUST is enabled).</p> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=143542019-10-24T12:54:53ZVictor Julienvictor@inliniac.net
<ul></ul><p>Can you try:<br /><pre><code class="diff syntaxhl" data-language="diff"><span class="p">commit fdfc1715adc55f7e710bb6d5426a256c4d56199b (HEAD -> fix/nfs-filestore/v1)
Author: Victor Julien <victor@inliniac.net>
Date: Thu Oct 24 14:51:48 2019 +0200
</span>
filestore: don't assume flow is TCP
Filestore can be used by UDP based protocols as well. NFSv2 is one
that Suricata supports.
Bug #3277.
diff --git a/src/detect-filestore.c b/src/detect-filestore.c
<span class="gh">index a4bdc249d..c2d1340c2 100644
</span><span class="gd">--- a/src/detect-filestore.c
</span><span class="gi">+++ b/src/detect-filestore.c
</span><span class="p">@@ -209,10 +209,11 @@</span> static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
#endif
}
- /* set filestore depth for stream reassembling */
<span class="gd">- TcpSession *ssn = (TcpSession *)p->flow->protoctx;
- TcpSessionSetReassemblyDepth(ssn, FileReassemblyDepth());
-
</span><span class="gi">+ if (p->proto == IPPROTO_TCP && p->flow->protoctx != NULL) {
+ /* set filestore depth for stream reassembling */
+ TcpSession *ssn = (TcpSession *)p->flow->protoctx;
+ TcpSessionSetReassemblyDepth(ssn, FileReassemblyDepth());
+ }
</span> if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
</code></pre></p> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=143562019-10-25T03:46:30Zlei wang
<ul></ul><p>I test new version suricata with this fixed code just now. It work well. And I find the dump file with nfsv2.pcap and nfsv3.pcap. But please test more to make sure really no problem because I am a learner and know a little about it.</p> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=144342019-11-02T15:39:56ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Victor Julien</i></li></ul> Suricata - Bug #3277: segfault when test a nfs pcap filehttps://redmine.openinfosecfoundation.org/issues/3277?journal_id=145782019-11-06T19:16:00ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/4345/commits/0824b0413455b668777e83cabe9fbc0ea81c400a">https://github.com/OISF/suricata/pull/4345/commits/0824b0413455b668777e83cabe9fbc0ea81c400a</a></p>