Project

General

Profile

Actions

Bug #41

closed

Processing the attached pcap causes the engine to segv inside of AppLayerHandleMsg

Added by Will Metcalf about 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

ulimit -c unlimited; src/suricata -c ../suricata117.yaml -l ./ -r defconsegv-fuzz-2009-12-31-10-50-2337-58989-stream0-2.pcap
TmqDebugList: id 0, name 'pickup-queue', len 41
TmqDebugList: id 1, name 'decode-queue1', len 9
TmqDebugList: id 2, name 'stream-queue1', len 0
TmqDebugList: id 3, name 'alert-queue1', len 0
TmqDebugList: id 4, name 'alert-queue2', len 0
TmqDebugList: id 5, name 'alert-queue3', len 0
TmqDebugList: id 6, name 'alert-queue4', len 0
Segmentation fault (core dumped)

gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /home/coz/downloads/suricatafuzz1/src/suricata...done.
[New Thread 22042]
[New Thread 22038]
[New Thread 22039]
[New Thread 22037]
[New Thread 22041]
[New Thread 22049]
[New Thread 22048]
[New Thread 22044]
[New Thread 22043]
[New Thread 22047]
[New Thread 22045]
[New Thread 22046]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /usr/lib/libnetfilter_queue.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnetfilter_queue.so.1
Reading symbols from /usr/lib/libnfnetlink.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnfnetlink.so.0
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `src/suricata c ../suricata117.yaml -l ./ -r defconsegv-fuzz-2009-12-31-10-50-2'.
Program terminated with signal 11, Segmentation fault.
#0 0x000000000048f8de in AppLayerHandleMsg (smsg=0x7fdbccd4d940, need_lock=0 '\000') at app-layer-detect-proto.c:330
330 TcpSession *ssn = smsg
>flow->protoctx;
(gdb) bt full
#0 0x000000000048f8de in AppLayerHandleMsg (smsg=0x7fdbccd4d940, need_lock=0 '\000') at app-layer-detect-proto.c:330
alproto = 0
r = 0
ssn = 0x7fdbccd017f0
#1 0x0000000000484b34 in StreamTcpReassembleProcessAppLayer (ra_ctx=0x13b8ad0) at stream-tcp-reassemble.c:1485
smsg = 0x7fdbccd4d940
r = 0
#2 0x00000000004804d3 in StreamTcpPacket (tv=0x108db80, p=0xb26460, stt=0x13b9d50) at stream-tcp.c:2304
ssn = 0x7fdbccd017f0
#3 0x000000000048056d in StreamTcp (tv=0x108db80, p=0xb26460, data=0x13b9d50, pq=0x108dec0) at stream-tcp.c:2322
stt = 0x13b9d50
ret = TM_ECODE_OK
#4 0x00000000004724cb in TmThreadsSlot1 (td=0x108db80) at tm-threads.c:325
tv = 0x108db80
s = 0x108de90
p = 0xb26460
run = 1 '\001'
r = TM_ECODE_OK
#5 0x00007fdbdbba0a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fdbd9ec1910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140582230694160, -1901112266662846520, 140735308340576, 0, 0, 3, 1885415804905480136, 1885410667850653640}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#6 0x00007fdbdb4bb7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#7 0x0000000000000000 in ?? ()
No symbol table info available.


Files

defconsegv-fuzz-2009-12-31-10-50-2337-58989-stream0-2.pcap (12.8 KB) defconsegv-fuzz-2009-12-31-10-50-2337-58989-stream0-2.pcap fuzzed defcon 17 ctf traffic that causes segv inside of ApplyaerHandleMsg Will Metcalf, 01/03/2010 02:28 PM
0002-bug-41-patch.patch (1.24 KB) 0002-bug-41-patch.patch Gurvinder Singh, 01/03/2010 07:47 PM
Actions #1

Updated by Will Metcalf about 14 years ago

I waited to file this bug in hopes that this would be fixed along with the existing issue causing an abort() in the stream handler however after applying Gurvinder's latest patch the issue still exists.

Actions #2

Updated by Gurvinder Singh about 14 years ago

The current segv was due to wrong packet length at seg start at same case in stream reassembly. The current patch has fixed the isssue.
Will this is incremental patch to the my last stream patch.

Actions #3

Updated by Victor Julien about 14 years ago

Patches applied, thanks Gurvinder!

Actions #4

Updated by Victor Julien about 14 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF