Project

General

Profile

Actions
Copy link

Bug #3349

closed

Suricata 5.0 crashes while rule reload

Added by haiwei liu over 4 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
5.0.0
Effort:
Difficulty:
Label:

Description

Suricata 5.0 crashes while rule reload and performing flow detect.

Backtrace

#0  0x00007fb6ce86e337 in raise () from /lib64/libc.so.6
#1  0x00007fb6ce86fa28 in abort () from /lib64/libc.so.6
#2  0x00007fb6ce8b0e87 in __libc_message () from /lib64/libc.so.6
#3  0x00007fb6ce8b9679 in _int_free () from /lib64/libc.so.6
#4  0x00000000004aa43f in DetectEngineThreadCtxFree (det_ctx=0x7fb6a4a96ce0) at detect-engine.c:2559
#5  0x00000000004ad8f7 in DetectEngineThreadCtxDeinit (tv=<optimized out>, data=0x7fb6a4a96ce0) at detect-engine.c:2604
#6  0x00000000004ae090 in DetectEngineReloadThreads (new_de_ctx=new_de_ctx@entry=0xa8dcf20) at detect-engine.c:1543
#7  0x00000000004b1890 in DetectEngineReload (suri=suri@entry=0xa81100 <suricata>) at detect-engine.c:3681
#8  0x000000000041fd55 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2860
#9  main (argc=<optimized out>, argv=<optimized out>) at suricata.c:3021

reason:

InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
{
    InspectionBuffer *buffer = &det_ctx->inspect.buffers[list_id];
    if (buffer->inspect == NULL) {
        det_ctx->inspect.to_clear_queue[det_ctx->inspect.to_clear_idx++] = list_id;
    }
    return buffer;
}

The size of det_ctx->inspect.to_clear_idx will exceed det_ctx->inspect.buffers_size during run, resulting in memory out of bounds.

Actions
Copy link
 #1

Updated by Victor Julien over 4 years ago

  • Description updated (diff)
  • Assignee changed from Victor Julien to OISF Dev
  • Priority changed from High to Normal
  • Target version changed from 5.0.0 to 5.0.1
  • Affected Versions 5.0.0 added
  • Affected Versions deleted (5.0beta1)
Actions
Copy link
 #2

Updated by Victor Julien over 4 years ago

What rules are you using?

Actions
Copy link
 #3

Updated by Victor Julien over 4 years ago

  • Effort deleted (high)
Actions
Copy link
 #4

Updated by Victor Julien over 4 years ago

  • Target version changed from 5.0.1 to 5.0.2
Actions
Copy link
 #5

Updated by Victor Julien about 4 years ago

  • Target version changed from 5.0.2 to 5.0.3
Actions
Copy link
 #6

Updated by Victor Julien about 4 years ago

  • Priority changed from Normal to High
Actions
Copy link
 #7

Updated by Victor Julien about 4 years ago

  • Status changed from New to Feedback
  • Priority changed from High to Normal
  • Target version changed from 5.0.3 to TBD
Actions
Copy link
 #8

Updated by Andreas Herz about 2 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link
 #9

Updated by Victor Julien about 2 years ago

This was fixed in 5.0.7. See ticket #4485.

Actions
Copy link

Also available in: Atom PDF