Project

General

Profile

Actions

Bug #3490

closed

Segfault when facing malformed SNMP rules

Added by Sascha Steinbiss almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport

Description

In the current 6.0.0 master, Suricata segfaults during rule parsing when facing invalid SNMP rules, e.g.:

alert snmp any any -> any any (msg:"SNMP test1"; snmp.version; sid:1000003;)
alert snmp any any -> any any (msg:"SNMP test2"; snmp.pdu_type; sid:1000007;)

leads to:

[10855] 20/2/2020 -- 10:53:13 - (suricata.c:1068) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (73bd9e25f 2020-02-19) running in USER mode
[10855] 20/2/2020 -- 10:53:13 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[10855] 20/2/2020 -- 10:53:13 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[10855] 20/2/2020 -- 10:53:13 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[10855] 20/2/2020 -- 10:53:13 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[10855] 20/2/2020 -- 10:53:13 - (util-classification-config.c:365) <Info> (SCClassConfParseFile) -- Added "43" classification types from the classification file
[10855] 20/2/2020 -- 10:53:13 - (util-reference-config.c:340) <Info> (SCRConfParseFile) -- Added "19" reference types from the reference.config file
zsh: segmentation fault (core dumped)

I have a patch available and can provide a PR soon.


Related issues 2 (0 open2 closed)

Related to Bug #3489: rule parsing: memory leaksClosedJeff LucovskyActions
Copied to Bug #3576: Segfault when facing malformed SNMP rulesClosedJeff LucovskyActions
Actions #1

Updated by Victor Julien almost 3 years ago

  • Related to Bug #3489: rule parsing: memory leaks added
Actions #2

Updated by Victor Julien almost 3 years ago

I think the crash I attached to #3489 might be related.

Actions #3

Updated by Victor Julien almost 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Sascha Steinbiss
  • Target version set to 6.0.0beta1
  • Label Needs backport added
Actions #4

Updated by Sascha Steinbiss almost 3 years ago

Would it be sufficient to simply file additional PRs against the 5.x and 4.x branches once the current one has been reviewed?

Actions #5

Updated by Jeff Lucovsky almost 3 years ago

  • Status changed from Assigned to In Review
Actions #6

Updated by Jeff Lucovsky almost 3 years ago

This was somewhat related to #3489 so I proceeded with a suricata-verify PR (https://github.com/OISF/suricata-verify/pull/182) and suricata pr (above).

Actions #7

Updated by Sascha Steinbiss almost 3 years ago

Jeff Lucovsky wrote in #note-6:

This was somewhat related to #3489 so I proceeded with a suricata-verify PR (https://github.com/OISF/suricata-verify/pull/182) and suricata pr (above).

Thanks! FYI I also submitted a fix PR that would address this with an error message consistent with other similar keywords (nfs.version, nfs.procedure, dsize, ...) as https://github.com/OISF/suricata/pull/4580.

Actions #8

Updated by Victor Julien over 2 years ago

  • Status changed from In Review to Closed
Actions #10

Updated by Jeff Lucovsky over 2 years ago

  • Copied to Bug #3576: Segfault when facing malformed SNMP rules added
Actions

Also available in: Atom PDF