Bug #3490
closedSegfault when facing malformed SNMP rules
Description
In the current 6.0.0 master, Suricata segfaults during rule parsing when facing invalid SNMP rules, e.g.:
alert snmp any any -> any any (msg:"SNMP test1"; snmp.version; sid:1000003;) alert snmp any any -> any any (msg:"SNMP test2"; snmp.pdu_type; sid:1000007;)
leads to:
[10855] 20/2/2020 -- 10:53:13 - (suricata.c:1068) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (73bd9e25f 2020-02-19) running in USER mode [10855] 20/2/2020 -- 10:53:13 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8 [10855] 20/2/2020 -- 10:53:13 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log [10855] 20/2/2020 -- 10:53:13 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json [10855] 20/2/2020 -- 10:53:13 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [10855] 20/2/2020 -- 10:53:13 - (util-classification-config.c:365) <Info> (SCClassConfParseFile) -- Added "43" classification types from the classification file [10855] 20/2/2020 -- 10:53:13 - (util-reference-config.c:340) <Info> (SCRConfParseFile) -- Added "19" reference types from the reference.config file zsh: segmentation fault (core dumped)
I have a patch available and can provide a PR soon.
Updated by Victor Julien almost 5 years ago
- Related to Bug #3489: rule parsing: memory leaks added
Updated by Victor Julien almost 5 years ago
I think the crash I attached to #3489 might be related.
Updated by Victor Julien almost 5 years ago
- Status changed from New to Assigned
- Assignee set to Sascha Steinbiss
- Target version set to 6.0.0beta1
- Label Needs backport added
Updated by Sascha Steinbiss almost 5 years ago
Would it be sufficient to simply file additional PRs against the 5.x and 4.x branches once the current one has been reviewed?
Updated by Jeff Lucovsky almost 5 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky almost 5 years ago
This was somewhat related to #3489 so I proceeded with a suricata-verify PR (https://github.com/OISF/suricata-verify/pull/182) and suricata pr (above).
Updated by Sascha Steinbiss almost 5 years ago
Jeff Lucovsky wrote in #note-6:
This was somewhat related to #3489 so I proceeded with a suricata-verify PR (https://github.com/OISF/suricata-verify/pull/182) and suricata pr (above).
Thanks! FYI I also submitted a fix PR that would address this with an error message consistent with other similar keywords (nfs.version, nfs.procedure, dsize, ...) as https://github.com/OISF/suricata/pull/4580.
Updated by Victor Julien almost 5 years ago
- Status changed from In Review to Closed
Updated by Jeff Lucovsky over 4 years ago
- Copied to Bug #3576: Segfault when facing malformed SNMP rules added