Bug #55
closedEngine Segv's when an invalid configuration file is specified
Description
We should probably exit or go ahead and return -1 regardless of --init-errors-fatal being specified if any of the following rules fail to be parsed as other parts of the code rely on them.
/* http_uri -- for uricontent /
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server,established; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
if (sig == NULL)
ret = -1;prevsig = sig;
de_ctx->sig_list = sig;sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server,established; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
if (sig == NULL)
ret = -1;prevsig->next = sig;
prevsig = sig;/* http_host -- for the log-httplog module /
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server,established; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.)\\r\\n/m\"; noalert; sid:3;)");
if (sig == NULL)
ret = -1;prevsig->next = sig;
prevsig = sig;/* http_ua -- for the log-httplog module /
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server,established; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.)\\r\\n/m\"; noalert; sid:4;)");
if (sig == NULL)
ret = -1;coz@coz-desktop:~/downloads/oisfnew$ src/suricata r /home/coz/downloads/dc17ctf.pcap -l ./ -c blah.rules "
Warning: Invalid global_log_level assigned by user. Falling back on the default_log_level "Info"
Warning: Invalid global_log_format supplied by user or format length exceeded limit of "128" characters. Falling back on default log_format "[%i] %t - (%f:%l) <%d> (%n) -
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
[1570] 11/1/2010 -- 08:56:41 - (suricata.c:437) <Info> (main) -- This is Suricata version 0.8.0
[1570] 11/1/2010 -- 08:56:41 - (suricata.c:607) <Info> (main) -- preallocating packets... packet size 92664
[1570] 11/1/2010 -- 08:56:41 - (suricata.c:621) <Info> (main) -- preallocating packets... done: total memory 4633200
[1570] 11/1/2010 -- 08:56:41 - (flow.c:426) <Info> (FlowInitConfig) -- initializing flow engine...
[1570] 11/1/2010 -- 08:56:42 - (flow.c:468) <Info> (FlowInitConfig) -- allocated 3145728 bytes of memory for the flow hash... 65536 buckets of size 48
[1570] 11/1/2010 -- 08:56:42 - (flow.c:482) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 208
[1570] 11/1/2010 -- 08:56:42 - (flow.c:484) <Info> (FlowInitConfig) -- flow memory usage: 3145728 bytes, maximum: 33554432
[1570] 11/1/2010 -- 08:56:42 - (util-rule-vars.c:77) <Error> (SCRuleVarsGetConfVar) -- [ERRCODE: SC_ERR_UNDEFINED_VAR(66)] - Variable "HTTP_PORTS" is not defined in configuration file
[1570] 11/1/2010 -- 08:56:42 - (util-rule-vars.c:77) <Error> (SCRuleVarsGetConfVar) -- [ERRCODE: SC_ERR_UNDEFINED_VAR(66)] - Variable "HTTP_PORTS" is not defined in configuration file
Segmentation fault (core dumped)
coz@coz-desktop:~/downloads/oisfnew$ gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/coz/downloads/oisfnew/src/suricata...done.
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `src/suricata r /home/coz/downloads/dc17ctf.pcap -l ./ -c blah.rules'.>next = sig;
Program terminated with signal 11, Segmentation fault.
#0 0x000000000041865a in SigLoadSignatures (de_ctx=0x1a11620, sig_file=0x0) at detect.c:305
305 prevsig
(gdb) bt full
#0 0x000000000041865a in SigLoadSignatures (de_ctx=0x1a11620, sig_file=0x0) at detect.c:305
prevsig = 0x0
sig = 0x0
rule_files = 0x473529
file = 0x0
ret = -1
r = 0
cnt = 0
cntf = 0
sfile = 0x0
FUNCTION = "SigLoadSignatures"
#1 0x0000000000404ef7 in main (argc=7, argv=0x7fff33051e38) at suricata.c:629
opt = -1
mode = 2
pcap_file = 0x7fff33053606 "/home/coz/downloads/dc17ctf.pcap"
pcap_dev = 0x0
pfring_dev = 0x0
sig_file = 0x0
nfq_id = 0
conf_filename = 0x7fff33053630 "blah.rules"
dump_config = 0
list_unittests = 0
daemon = 0
log_dir = 0x13221a0 "./"
buf = {st_dev = 2055, st_ino = 17351950, st_nlink = 7, st_mode = 16877, st_uid = 1000, st_gid = 1000, pad0 = 0, st_rdev = 0, st_size = 110592, st_blksize = 4096, st_blocks = 224, st_atim = {tv_sec = 1263218160, tv_nsec = 0},
st_mtim = {tv_sec = 1263217963, tv_nsec = 0}, st_ctim = {tv_sec = 1263217963, tv_nsec = 0}, __unused = {0, 0, 0}}
long_opts = {{name = 0x4a5848 "dump-config", has_arg = 0, flag = 0x7fff3305190c, val = 1}, {name = 0x4a5854 "pfring-int", has_arg = 1, flag = 0x0, val = 0}, {name = 0x4a585f "pfring-clusterid", has_arg = 1, flag = 0x0,
val = 0}, {name = 0x4a5870 "unittest-filter", has_arg = 1, flag = 0x0, val = 85}, {name = 0x4a5880 "list-unittests", has_arg = 0, flag = 0x7fff33051908, val = 1}, {name = 0x4a588f "init-errors-fatal", has_arg = 0,
flag = 0x0, val = 0}, {name = 0x4a58a1 "fatal-unittests", has_arg = 0, flag = 0x0, val = 0}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
option_index = 0
short_opts = "c:Dhi:l:q:r:us:U:V"
__FUNCTION = "main"
c = 255 '\377'
i = 50
de_ctx = 0x1a11620
start_time = {tv_sec = -450755873996800, tv_usec = 139821930291200}
Reported to the list as.
Hello there ,
I am having trouble running suricata with rules file, everytime i start suricata i get this msg :
Warning: Invalid global_log_level assigned by user. Falling back on the default_log_level "Info"
Warning: Invalid global_log_format supplied by user or format length exceeded limit of "128" characters. Falling back on default log_format "[%i] %t - (%f:%l) <%d> (%n) -
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
[26040] 11/1/2010 -- 08:39:17 - (suricata.c:425) <Info> (main) -- This is Suricata version 0.8.0
- glibc detected * suricata: free(): invalid pointer: 0xb7edc2a1 *
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e1aa85]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e1e4f0]
suricata[0x80a725a]
suricata[0x80a741a]
suricata[0x804b2aa]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7dc5450]
suricata[0x804a961] ======= Memory map: ========
08048000-080ca000 r-xp 00000000 08:01 91327 /usr/local/bin/suricata
080ca000-080cb000 rw-p 00082000 08:01 91327 /usr/local/bin/suricata
080cb000-08119000 rw-p 080cb000 00:00 0 [heap]
b7c00000-b7c21000 rw-p b7c00000 00:00 0
b7c21000-b7d00000 ---p b7c21000 00:00 0
b7d87000-b7d91000 r-xp 00000000 08:01 1777680 /lib/libgcc_s.so.1
b7d91000-b7d92000 rw-p 0000a000 08:01 1777680 /lib/libgcc_s.so.1
b7d99000-b7d9a000 rw-p b7d99000 00:00 0
b7d9a000-b7dae000 r-xp 00000000 08:01 83916 /usr/lib/libz.so.1.2.3.3
b7dae000-b7daf000 rw-p 00013000 08:01 83916 /usr/lib/libz.so.1.2.3.3
b7daf000-b7ef8000 r-xp 00000000 08:01 1777688 /lib/tls/i686/cmov/libc-2.7.so
b7ef8000-b7ef9000 r--p 00149000 08:01 1777688 /lib/tls/i686/cmov/libc-2.7.so
b7ef9000-b7efb000 rw-p 0014a000 08:01 1777688 /lib/tls/i686/cmov/libc-2.7.so
b7efb000-b7efe000 rw-p b7efb000 00:00 0
b7efe000-b7f24000 r-xp 00000000 08:01 87668 /usr/lib/libpcre.so.3.12.1
b7f24000-b7f25000 rw-p 00026000 08:01 87668 /usr/lib/libpcre.so.3.12.1
b7f25000-b7f26000 rw-p b7f25000 00:00 0
b7f26000-b7f41000 r-xp 00000000 08:01 565249 /usr/local/lib/libyaml-0.so.2.0.1
b7f41000-b7f42000 rw-p 0001a000 08:01 565249 /usr/local/lib/libyaml-0.so.2.0.1
b7f42000-b7f56000 r-xp 00000000 08:01 1777702 /lib/tls/i686/cmov/libpthread-2.7.so
b7f56000-b7f58000 rw-p 00013000 08:01 1777702 /lib/tls/i686/cmov/libpthread-2.7.so
b7f58000-b7f5a000 rw-p b7f58000 00:00 0
b7f5a000-b7f60000 r-xp 00000000 08:01 88329 /usr/lib/libnfnetlink.so.0.2.0
b7f60000-b7f61000 rw-p 00005000 08:01 88329 /usr/lib/libnfnetlink.so.0.2.0
b7f61000-b7f63000 r-xp 00000000 08:01 88309 /usr/lib/libnetfilter_queue.so.1.1.0
b7f63000-b7f64000 rw-p 00001000 08:01 88309 /usr/lib/libnetfilter_queue.so.1.1.0
b7f64000-b7f77000 r-xp 00000000 08:01 89678 /usr/lib/libnet.so.1.3.0
b7f77000-b7f78000 rw-p 00013000 08:01 89678 /usr/lib/libnet.so.1.3.0
b7f78000-b7f7a000 rw-p b7f78000 00:00 0
b7f7a000-b7f97000 r-xp 00000000 08:01 87729 /usr/lib/libpcap.so.0.7.2
b7f97000-b7f98000 rw-p 0001d000 08:01 87729 /usr/lib/libpcap.so.0.7.2
b7f98000-b7fa6000 r-xp 00000000 08:01 88130 /usr/lib/libhtp-0.1.so.1.0.2
b7fa6000-b7fa7000 rw-p 0000e000 08:01 88130 /usr/lib/libhtp-0.1.so.1.0.2
b7fac000-b7fb0000 rw-p b7fac000 00:00 0
b7fb0000-b7fb1000 r-xp b7fb0000 00:00 0 [vdso]
b7fb1000-b7fcb000 r-xp 00000000 08:01 1779190 /lib/ld-2.7.so
b7fcb000-b7fcd000 rw-p 00019000 08:01 1779190 /lib/ld-2.7.so
bffc9000-bffde000 rw-p bffeb000 00:00 0 [stack]
Aborted
Running Ubuntu 8.04 server
I will be pleased for any help
thanks in advance
Ihab El Bakri
Files
Updated by Will Metcalf over 14 years ago
- File 0001-change-behavior-when-http-log-pcre-sigs-fail.patch 0001-change-behavior-when-http-log-pcre-sigs-fail.patch added
- Status changed from New to Resolved
attached diff should fix this issue.
Updated by Victor Julien over 14 years ago
- Status changed from Resolved to New
After applying the patch:
- ./src/suricata
i eth0 -c /home/victor/rules/x11.rules>log_format: [%i] %t - (%f:%l) <%d> (%n) --
sc_log_global_log_level: 7
sc_lc
SCLogSetOPFilter: filter: <no filter>
[12456] 12/1/2010 -- 11:15:50 - (suricata.c:436) <Info> (main) -- This is Suricata version 0.8.0- glibc detected * ./src/suricata: free(): invalid pointer: 0x003e4ff4 *
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0x30fff1]
/lib/tls/i686/cmov/libc.so.6[0x3116f2]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x31479d]
./src/suricata[0x8170136]
./src/suricata[0x817027a]
./src/suricata[0x804bb06]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x2bbb56]
./src/suricata[0x804a9e1] ======= Memory map: ========
00113000-00122000 r-xp 00000000 08:05 2769809 /usr/lib/libhtp-0.1.so.1.0.2
00122000-00123000 r--p 0000e000 08:05 2769809 /usr/lib/libhtp-0.1.so.1.0.2
00123000-00124000 rw-p 0000f000 08:05 2769809 /usr/lib/libhtp-0.1.so.1.0.2
001ff000-00214000 r-xp 00000000 08:05 2769375 /usr/lib/libnet.so.1.5.0
00214000-00215000 r--p 00015000 08:05 2769375 /usr/lib/libnet.so.1.5.0
00215000-00216000 rw-p 00016000 08:05 2769375 /usr/lib/libnet.so.1.5.0
00216000-00217000 rw-p 00000000 00:00 0
0028f000-002a3000 r-xp 00000000 08:05 8372329 /lib/libz.so.1.2.3.3
002a3000-002a4000 r--p 00013000 08:05 8372329 /lib/libz.so.1.2.3.3
002a4000-002a5000 rw-p 00014000 08:05 8372329 /lib/libz.so.1.2.3.3
002a5000-003e3000 r-xp 00000000 08:05 10289318 /lib/tls/i686/cmov/libc-2.10.1.so
003e3000-003e5000 r--p 0013e000 08:05 10289318 /lib/tls/i686/cmov/libc-2.10.1.so
003e5000-003e6000 rw-p 00140000 08:05 10289318 /lib/tls/i686/cmov/libc-2.10.1.so
003e6000-003e9000 rw-p 00000000 00:00 0
00634000-00635000 r-xp 00000000 00:00 0 [vdso]
00804000-00821000 r-xp 00000000 08:05 17924195 /usr/lib/libyaml-0.so.1.1.0
00821000-00822000 r--p 0001c000 08:05 17924195 /usr/lib/libyaml-0.so.1.1.0
00822000-00823000 rw-p 0001d000 08:05 17924195 /usr/lib/libyaml-0.so.1.1.0
008f8000-00927000 r-xp 00000000 08:05 14861393 /lib/libpcre.so.3.12.1
00927000-00928000 r--p 0002e000 08:05 14861393 /lib/libpcre.so.3.12.1
00928000-00929000 rw-p 0002f000 08:05 14861393 /lib/libpcre.so.3.12.1
0093b000-0096c000 r-xp 00000000 08:05 2772342 /usr/lib/libpcap.so.1.0.0
0096c000-0096d000 r--p 00031000 08:05 2772342 /usr/lib/libpcap.so.1.0.0
0096d000-0096e000 rw-p 00032000 08:05 2772342 /usr/lib/libpcap.so.1.0.0
00b1f000-00b3b000 r-xp 00000000 08:05 14861369 /lib/libgcc_s.so.1
00b3b000-00b3c000 r--p 0001b000 08:05 14861369 /lib/libgcc_s.so.1
00b3c000-00b3d000 rw-p 0001c000 08:05 14861369 /lib/libgcc_s.so.1
00d7a000-00d8f000 r-xp 00000000 08:05 10387590 /lib/tls/i686/cmov/libpthread-2.10.1.so
00d8f000-00d90000 r--p 00014000 08:05 10387590 /lib/tls/i686/cmov/libpthread-2.10.1.so
00d90000-00d91000 rw-p 00015000 08:05 10387590 /lib/tls/i686/cmov/libpthread-2.10.1.so
00d91000-00d93000 rw-p 00000000 00:00 0
00e42000-00e5d000 r-xp 00000000 08:05 14794779 /lib/ld-2.10.1.so
00e5d000-00e5e000 r--p 0001a000 08:05 14794779 /lib/ld-2.10.1.so
00e5e000-00e5f000 rw-p 0001b000 08:05 14794779 /lib/ld-2.10.1.so
08048000-081db000 r-xp 00000000 08:05 16779177 /home/victor/sync/devel/eidps/src/suricata
081db000-081dc000 r--p 00192000 08:05 16779177 /home/victor/sync/devel/eidps/src/suricata
081dc000-081de000 rw-p 00193000 08:05 16779177 /home/victor/sync/devel/eidps/src/suricata
081de000-0820b000 rw-p 00000000 00:00 0
0905a000-0907b000 rw-p 00000000 00:00 0 [heap]
b7600000-b7621000 rw-p 00000000 00:00 0
b7621000-b7700000 ---p 00000000 00:00 0
b77fe000-b7801000 rw-p 00000000 00:00 0
b7817000-b781b000 rw-p 00000000 00:00 0
bf944000-bf959000 rw-p 00000000 00:00 0 [stack]
Aborted
- glibc detected * ./src/suricata: free(): invalid pointer: 0x003e4ff4 *
======= Backtrace: =========
Updated by Jason Ish over 14 years ago
- Assignee changed from OISF Dev to Jason MacLulich
Updated by Jason Ish over 14 years ago
- Assignee changed from Jason MacLulich to Jason Ish
Updated by Jason Ish over 14 years ago
- File 0001-Fix-issue-55.patch 0001-Fix-issue-55.patch added
This patch fixes this problem. Non-configuration files may still parse though, but shouldn't cause a segfault anymore.
Updated by Jason Ish over 14 years ago
- File 0002-Require-that-the-configuration-file-begins-with-a-va.patch 0002-Require-that-the-configuration-file-begins-with-a-va.patch added
This patch is along the same lines as this bug. It will require that the YAML file begin with a valid version. This will allow us to bail on a file that might parse as YAML, but is clearly not YAML or a Suricata configuration file.
Updated by Jason Ish over 14 years ago
- Status changed from New to Resolved
Should be resolved with these patches.
Updated by Victor Julien over 14 years ago
- Status changed from Resolved to Closed
Patches applied, thanks guys...