Project

General

Profile

Actions

Security #4485

closed

heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti

Added by Jeff Lucovsky about 1 year ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
CVE:
Git IDs:

3b1a29e4ba2793e39d72c7dac03e8d82ee6e0138

Severity:
MODERATE

Description

Coming from https://github.com/OISF/suricata/pull/5622#discussion_r626686822

Reproducer is
./src/suricata -r mqtt_too_many_topics.pcap -S mqtt.rules -c suricata.yaml -k none -l log
with suricata.yaml enabling mqtt (--set app-layer.protocols.mqtt.enabled=yes)
with mqtt.rules being alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.subscribe.topic; content:"topicY"; sid:15;)

Stack trace is

==60789==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150000216f0 at pc 0x0001024672b9 bp 0x700007c2a550 sp 0x700007c2a548
WRITE of size 4 at 0x6150000216f0 thread T2
    #0 0x1024672b8 in InspectionBufferSetup detect-engine.c:1068
    #1 0x1024fed37 in MQTTSubscribeTopicGetData detect-mqtt-subscribe-topic.c:86
    #2 0x1024fe98c in PrefilterTxMQTTSubscribeTopic detect-mqtt-subscribe-topic.c:158
    #3 0x102495e95 in DetectRunPrefilterTx detect-engine-prefilter.c:117
    #4 0x102424da5 in DetectRunTx detect.c:1327
    #5 0x1024229ff in DetectRun detect.c:136
    #6 0x102421d72 in Detect detect.c:1666
    #7 0x10256acdd in FlowWorker flow-worker.c:540
    #8 0x10265987d in TmThreadsSlotVarRun tm-threads.c:117
    #9 0x102661882 in TmThreadsSlotVar tm-threads.c:452
    #10 0x7fff5e67b660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
    #11 0x7fff5e67b50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
    #12 0x7fff5e67abf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)

0x6150000216f0 is located 0 bytes to the right of 496-byte region [0x615000021500,0x6150000216f0)
allocated by thread T2 here:
    #0 0x103a70497 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57497)
    #1 0x1026a07ae in SCCallocFunc util-mem.c:57
    #2 0x10246a636 in ThreadCtxDoInit detect-engine.c:2696
    #3 0x102469f0e in DetectEngineThreadCtxInit detect-engine.c:2770
    #4 0x10256a58d in FlowWorkerThreadInit flow-worker.c:273
    #5 0x1026614f7 in TmThreadsSlotVar tm-threads.c:394
    #6 0x7fff5e67b660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
    #7 0x7fff5e67b50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
    #8 0x7fff5e67abf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)


Files

mqtt_too_many_topics.pcap (258 KB) mqtt_too_many_topics.pcap Philippe Antoine, 05/06/2021 07:02 AM

Subtasks 1 (0 open1 closed)

Security #4486: Infinite loops in when using InspectionBufferMultipleForListClosedJeff LucovskyActions

Related issues

Copied from Bug #4476: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti ClosedPhilippe AntoineActions
Actions #1

Updated by Jeff Lucovsky about 1 year ago

  • Copied from Bug #4476: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti added
Actions #3

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Victor Julien about 1 year ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
Actions #5

Updated by Victor Julien 12 months ago

  • Status changed from In Review to Closed
  • Affected Versions 5.0.6 added
  • Affected Versions deleted (6.0.2)
Actions #6

Updated by Victor Julien 12 months ago

  • Git IDs updated (diff)
Actions #7

Updated by Victor Julien 11 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF