Project

General

Profile

Actions

Bug #3994

closed

SIGABRT TCPProtoDetectCheckBailConditions

Added by Peter Manev almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Full core information available privately.
See attached detailed info.

suricata --build-info
This is Suricata version 6.0.0-dev (518e0e66c 2020-09-28)
Features: DEBUG_VALIDATION PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Clang 7.0.1 (tags/RELEASE_701/final), C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.34, linked against LibHTP v0.5.34

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            yes
  XDP support:                             yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  GeoIP2 support:                          yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes

  Rust support:                            yes
  Rust strict mode:                        yes
  Rust compiler path:                      /root/.cargo/bin/rustc
  Rust compiler version:                   rustc 1.46.0 (04488afe3 2020-08-24)
  Cargo path:                              /root/.cargo/bin/cargo
  Cargo version:                           cargo 1.46.0 (149022b1d 2020-07-17)
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                yes

Generic build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /usr/local/etc/suricata/
  Log directory:                           /usr/local/var/log/suricata/

  --prefix                                 /usr/local
  --sysconfdir                             /usr/local/etc
  --localstatedir                          /usr/local/var
  --datarootdir                            /usr/local/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                clang (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -ggdb3 -O0  -Wchar-subscripts -Wshadow -Wall -Wextra -Wno-unused-parameter -Wno-unused-function -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter -Wno-unused-function -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS      

Files

3994 (60 KB) 3994 Peter Manev, 10/03/2020 04:13 PM
Actions #1

Updated by Peter Manev almost 2 years ago

Actions #2

Updated by Peter Manev almost 2 years ago

Occurs specifically in http traffic.

Actions #3

Updated by Victor Julien almost 2 years ago

  • Status changed from New to Feedback
  • Assignee set to Philippe Antoine

I think we've also seen this in fuzzing, so that could be a starting point. Philippe do we have an oss-fuzz case for this?

Actions #4

Updated by Philippe Antoine almost 2 years ago

  • Target version set to 6.0.1
Actions #5

Updated by Philippe Antoine almost 2 years ago

  • Status changed from Feedback to In Review
Actions #6

Updated by Philippe Antoine almost 2 years ago

No oss-fuzz case for this as far as I know

But there is a known bug which just looks like this :
TCPProtoDetectCheckBailConditions somehow relies on its TCP stream to start from zero, which is not the case on protocol change
Now that we keep retrying protocol detection during protocol change on more than one packet, we need to handle this case

Actions #7

Updated by Philippe Antoine almost 2 years ago

  • Status changed from In Review to Closed
Actions #8

Updated by Jeff Lucovsky almost 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF