Bug #5443
closedftp-data: failed assertion
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49010
./src/suricata -k none -c suricata.yaml --set stream.midstream=true --runmode=single -r lol.pcap
Victor, is this assertion really meant to be unreachable ?
Files
PA Updated by Philippe Antoine almost 4 years ago
Bug introduced by commit https://github.com/OISF/suricata/commit/07bf9214513e54e04508c055bb8ed29aa3bce60f
PA Updated by Philippe Antoine almost 4 years ago
- Related to Bug #5205: FTP-data unrecognized depending on multi-threading added
PA Updated by Philippe Antoine almost 4 years ago
Took me some time to figure out that I was needing --runmode=single to reproduce due to #5205 (fuzz target runs in single thread and so ftp-data detection goes alright)
VJ Updated by Victor Julien over 3 years ago
- Status changed from New to Assigned
- Priority changed from Normal to High
PA Updated by Philippe Antoine over 3 years ago
My analysis :
- we have a FTP flow which expects a ftp-data flow
- we use stream.midstream=true
- the ftp-data flow has a first packet with data
- the ftp-data flow has then a second packet in same direction with RST flag (and no ACK flag)
- RST triggers the parse of all available data, even if it has never been acked
Should we process any of these data that has never been acked ?
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
PA Updated by Philippe Antoine over 3 years ago
Why not 7.0.rc1 ?
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 8.0.0-beta1 to 7.0.0-rc1
Accident during mass retargeting, thanks for catching this.
PA Updated by Philippe Antoine over 3 years ago
I would disable the debug assertion if we cannot have a better fix quickly.
This would allow to have fuzzing going on and we would still have the issue to investigate...
JL Updated by Jeff Lucovsky over 3 years ago
- Status changed from Assigned to Closed
VJ Updated by Victor Julien over 3 years ago
- Private changed from Yes to No
PA Updated by Philippe Antoine over 3 years ago
- Status changed from Closed to Assigned
The bug is still there to be fixed, so reopening
PA Updated by Philippe Antoine over 3 years ago
Or to be explained as a non bug cf https://redmine.openinfosecfoundation.org/issues/5443#note-5
PA Updated by Philippe Antoine over 3 years ago
- Priority changed from High to Normal
VJ Updated by Victor Julien about 3 years ago
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
VJ Updated by Victor Julien almost 3 years ago
- Target version changed from 7.0.0-rc2 to 7.0.0
VJ Updated by Victor Julien almost 3 years ago
- Priority changed from Normal to High
VJ Updated by Victor Julien almost 3 years ago
- Target version changed from 7.0.0 to 7.0.1
VJ Updated by Victor Julien over 2 years ago
- Status changed from Assigned to In Review
VJ Updated by Victor Julien over 2 years ago
- Status changed from In Review to Closed
- Priority changed from High to Normal
https://github.com/OISF/suricata/pull/9320
Issue was caused by data on RST feeding data to app-layer after EOF was already sent to app-layer. Data on RST tracked in #6244.