Project

General

Profile

Actions

Bug #4503

closed

Buffer overflow in "by_rule" threshold context

Added by Mats Klepsland 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Several servers running Suricata has been crashing occasionally. I managed to get a PCAP file reproducing the bug on the same server, but had a hard time reproducing on my test rig. It turned out that the ordering of rules mattered, so after trying for a while I got my test rig to segfault as well.

The bug is connected to using "by_rule" tracking in thresholds in signatures.

When a new signature with "by_rule" tracking is parsed th_entry is resized to signature number pluss one using ThresholdHashRealloc(). This ensures that the "buffer" is large enough to hold state for every rule that use "by_rule" tracking in the ruleset. The issue is that the rules are reordered after they are parsed, and then all the rules are looped over and assigned new signature numbers based on the new order! Because of this, a buffer overflow could occur if we are unlucky enough that a signature with "by_rule" tracking has been given a signature number greater than the size of th_entry after the reordering, and that this rule triggers.

I'm suggesting to fix this by allocating th_entry after all the signatures have been parsed and loaded to ensure that it is large enough to hold all the entries needed.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x000000000051b381 in ThresholdHandlePacket (p=p@entry=0x7fb0080f3960, lookup_tsh=0x51, new_tsh=new_tsh@entry=0x7fb016c316e0, td=td@entry=0x14adedf0, sid=9800979, gid=1, pa=0x7fb0080f3b18)
    at detect-engine-threshold.c:415
415>----                if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {

Related issues

Has duplicate Bug #4514: Suricata 6.0.2 segfaultClosedActions
Copied to Bug #4518: Buffer overflow in "by_rule" threshold contextClosedShivani BhardwajActions
Copied to Bug #4519: Buffer overflow in "by_rule" threshold contextRejectedJeff LucovskyActions
Actions

Also available in: Atom PDF