Actions
Bug #4120
closedhttp2: null ptr deref in http2 alert metadata
Affected Versions:
Effort:
Difficulty:
Label:
Description
Thread 7 "W#05" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffef120700 (LWP 2367911)] alloc::raw_vec::RawVec<T,A>::ptr (self=0x20) at /home/victor/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:221 221 self.ptr.as_ptr() (gdb) bt #0 alloc::raw_vec::RawVec<T,A>::ptr (self=0x20) at /home/victor/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/raw_vec.rs:221 #1 0x0000000001e6b6ef in alloc::vec::Vec<T>::as_ptr (self=0x20) at /home/victor/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec.rs:814 #2 0x0000000001e71fe4 in <alloc::vec::Vec<T> as core::ops::deref::Deref>::deref (self=0x20) at /home/victor/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec.rs:1950 #3 0x0000000001e760ef in <&alloc::vec::Vec<T> as core::iter::traits::collect::IntoIterator>::into_iter (self=0x20) at /home/victor/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/vec.rs:2070 #4 0x0000000001b695f4 in suricata::http2::logger::log_headers (frames=0x20, js=0x606000029960, common=0x7fffef11d4a0) at /home/victor/devel/eidps/rust/src/http2/logger.rs:85 #5 0x0000000001b75e44 in suricata::http2::logger::log_http2 (tx=0x0, js=0x606000029960) at /home/victor/devel/eidps/rust/src/http2/logger.rs:204 #6 0x0000000001b77487 in suricata::http2::logger::rs_http2_log_json (tx=0x0, js=0x606000029960) at /home/victor/devel/eidps/rust/src/http2/logger.rs:273 #7 0x00000000015a7022 in AlertJsonHttp2 (f=0x6120003b3740, tx_id=0, js=0x606000029960) at output-json-alert.c:173 #8 0x00000000015a550d in AlertAddAppLayer (p=0x61e000315080, jb=0x606000029960, tx_id=0, option_flags=304) at output-json-alert.c:526 #9 0x00000000015a2d6f in AlertJson (tv=0x6120003be840, aft=0x603000109120, p=0x61e000315080) at output-json-alert.c:636 #10 0x00000000015a0a1c in JsonAlertLogger (tv=0x6120003be840, thread_data=0x603000109120, p=0x61e000315080) at output-json-alert.c:767 #11 0x00000000016117e9 in OutputPacketLog (tv=0x6120003be840, p=0x61e000315080, thread_data=0x6020000154f0) at output-packet.c:116 #12 0x00000000015916ee in OutputLoggerLog (tv=0x6120003be840, p=0x61e000315080, thread_data=0x6020000154d0) at output.c:882 #13 0x0000000001534bec in FlowWorker (tv=0x6120003be840, p=0x61e000315080, data=0x60d00004fff0) at flow-worker.c:545 #14 0x00000000018aa3b2 in TmThreadsSlotVarRun (tv=0x6120003be840, p=0x61e000315080, slot=0x606000016b80) at tm-threads.c:117 #15 0x00000000018b6f5d in TmThreadsSlotVar (td=0x6120003be840) at tm-threads.c:452 #16 0x00007ffff7d0c609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #17 0x00007ffff7890293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Updated by Victor Julien about 4 years ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine about 4 years ago
Now found by oss-fuzz as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27994
Updated by Victor Julien about 4 years ago
- Status changed from In Review to Closed
Actions