Bug #53: Processing the attached pcap causes abort in Defrag4Reassemble. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #53

closed

Processing the attached pcap causes abort in Defrag4Reassemble.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

0.8.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

src/suricata c suricata.yaml -r ./dc17ctf-fuzz-defrag-abort.pcap -l ./
...
TmqDebugList: id 1, name 'decode-queue1', len 13
TmqDebugList: id 2, name 'stream-queue1', len 1
TmqDebugList: id 3, name 'alert-queue1', len 0
TmqDebugList: id 0, name 'pickup-queue', len 14
TmqDebugList: id 1, name 'decode-queue1', len 35
TmqDebugList: id 2, name 'stream-queue1', len 0
TmqDebugList: id 3, name 'alert-queue1', len 0
suricata: defrag.c:757: Defrag4Reassemble: Assertion `!(rp>ip4h == ((void *)0))' failed.
Aborted (core dumped)
coz@coz-desktop:~/downloads/suricatafuzz1$ gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/coz/downloads/suricatafuzz1/src/suricata...done.
[New Thread 8635]
[New Thread 8630]
[New Thread 8634]
[New Thread 8633]
[New Thread 8639]
[New Thread 8631]
[New Thread 8637]
[New Thread 8636]
[New Thread 8638]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `src/suricata c suricata.yaml -r ./dc17ctf-fuzz-defrag-abort.pcap -l ./'.
Program terminated with signal 6, Aborted.
#0 0x00007f5a9f07b4b5 in *GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt full
#0 0x00007f5a9f07b4b5 in *_GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
pid = <value optimized out>
selftid = <value optimized out>
#1 0x00007f5a9f07ef50 in *_GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0x47dc03, sa_sigaction = 0x47dc03}, sa_mask = {__val = {140027192924232, 140027177916832, 757, 140027177917072, 140027192072646, 206158430232, 140027177917088, 140027177916864,
140027191983528, 206158430256, 140027177917112, 140027112285680, 140027073921056, 117, 4709379, 140735935354375}}, sa_flags = -1625835277, sa_restorer = 0x47dbdb}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f5a9f074481 in *_GI_assert_fail (assertion=0x47dc03 "!(rp>ip4h == ((void *)0))", file=<value optimized out>, line=757, function=0x47df70 "Defrag4Reassemble") at assert.c:81
buf = 0x7f5a9a4965f0 "suricata: defrag.c:757: Defrag4Reassemble: Assertion `!(rp->ip4h == ((void *)0))' failed.\n"
#3 0x000000000046f840 in Defrag4Reassemble (tv=<value optimized out>, dc=0x7f5a994fee60, p=<value optimized out>) at defrag.c:757
fragmentable_offset = <value optimized out>
frag = 0x0
pktlen = 0
len = <value optimized out>
payload_len = 0
hlen = 0
old = <value optimized out>
#4 Defrag (tv=<value optimized out>, dc=0x7f5a994fee60, p=<value optimized out>) at defrag.c:1035
rp = 0x7f5a9a47fbf0
frag_offset = <value optimized out>
more_frags = <value optimized out>
tracker = 0x7f5a9a17e270
lookup = {dc = 0x0, policy = 0 '\000', timeout = {tv_sec = 140027212872088, tv_usec = 0}, family = 2 '\002', id = 49494, src_addr = {family = 2 '\002', address = {address_un_data32 = {2936217354, 0, 0, 0}, address_un_data16 = {
7946, 44803, 0, 0, 0, 0, 0, 0}, address_un_data8 = "\n\037\003\257", '\000' <repeats 11 times>}}, dst_addr = {family = 2 '\002', address = {address_un_data32 = {34217738, 0, 0, 0}, address_un_data16 = {7946, 522, 0, 0,
0, 0, 0, 0}, address_un_data8 = "\n\037\n\002", '\000' <repeats 11 times>}}, seen_last = 80 'P', lock = {_data = {__lock = 4252716, _count = 0, __owner = 35706704, __nusers = 0, __kind = -1629996992, __spins = 32602,
__list = {_prev = 0x7f5a9ed83848, __next = 0x20b7640}}, __size = ",\344@\000\000\000\000\000P\327 \002\000\000\000\000@8؞Z\177\000\000H8؞Z\177\000\000@v\v\002\000\000\000", __align = 4252716}, frags = {
tqh_first = 0x220d750, tqh_last = 0x40e3ab}}
id = <value optimized out>
af = <value optimized out>
#5 0x0000000000409af8 in DecodeIPV4 (tv=0x245a080, dtv=0x2672280, p=0x20ce040, pkt=0x20ce0c6 "]", len=<value optimized out>, pq=<value optimized out>) at decode-ipv4.c:616
rp = <value optimized out>
#6 0x0000000000407f85 in DecodePcapFile (tv=0x245a080, p=0x20ce040, data=0x2672280, pq=0x245a180) at source-pcap-file.c:183
No locals.
#7 0x000000000044f6d6 in TmThreadsSlot1 (td=<value optimized out>) at tm-threads.c:325
tv = 0x245a080
s = 0x245a150
p = 0x20ce040
r = <value optimized out>
#8 0x00007f5a9f80ca04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7f5a9e32e910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140027177920784, -6772865416288676928, 140735935348992, 0, 0, 3, 6680191387519275968, 6680190406929535936}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#9 0x00007f5a9f1277bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#10 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)

Files

Download all files

dc17ctf-fuzz-defrag-abort.pcap (74 KB) dc17ctf-fuzz-defrag-abort.pcap	fuzzed dc17 traffic abort inside of Defrag4Reassemble	Will Metcalf, 01/08/2010 04:32 PM
0001-don-t-create-a-new-tracker-when-frags-are-received-i.patch (6.26 KB) 0001-don-t-create-a-new-tracker-when-frags-are-received-i.patch	fix for frags received in reverse order	Jason Ish, 01/11/2010 09:44 AM
0002-Do-not-seen_last-unless-the-packet-with-more_frags-0.patch (3.81 KB) 0002-Do-not-seen_last-unless-the-packet-with-more_frags-0.patch	fix issue described in this bug	Jason Ish, 01/11/2010 09:44 AM