Bug #5526
closedtcp: Assertion failed: (!((last_ack_abs < left_edge && StreamTcpInlineMode() == 0 && !f->ffr && ssn->state < TCP_CLOSED)))
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50784
Reproducer is with rulealert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
Cmd line is./suricata -c suricata.yaml -k none -r repro.pcap -S repro.rules
Files
Updated by Philippe Antoine over 2 years ago
Reproducer was obtained with python
import sys
f = open(sys.argv[1], "rb")
data = f.read()
f.close()
sep = data.find(0)
f = open("repro.rules", "wb")
f.write(data[:sep])
f.close()
f = open("repro.pcap", "wb")
f.write(data[sep+1:])
f.close()
Updated by Victor Julien about 2 years ago
- Status changed from New to Assigned
- Priority changed from Normal to High
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Philippe Antoine about 2 years ago
Regression range is quite small : 50f877912861360f0461acd05acd7b7b51f9fd0f...1bff888947345505c773ab07337546aa72e95d16
Updated by Philippe Antoine about 2 years ago
commit f04b7a1827845d72b4d0c12f76eadfcc77d726cf introduced the debug assertion and the bug
Updated by Philippe Antoine about 2 years ago
- Related to Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON) added
Updated by Philippe Antoine almost 2 years ago
Bug still present even if oss-fuzz closed it
Updated by Victor Julien almost 2 years ago
Was just looking today and noticed it indeed didn't reproduce. Do you have a new reproducer?
Updated by Philippe Antoine almost 2 years ago
I use the same reproducer today
Suricata is at commit 55c4834e4e9b14a441b735f84d8d35b4eb151702
There must another difference in system/libpcap...
Updated by Philippe Antoine almost 2 years ago
- File repro2.pcap repro2.pcap added
Better luck reproducing with this single flow pcap ?
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Updated by Philippe Antoine almost 2 years ago
- Status changed from Assigned to Closed
- Target version changed from 7.0.0-rc2 to 7.0.0-rc1
Accidentally fixed by commit 1dac2467c5b9c22ed20f121717960eaf4068d303
Updated by Philippe Antoine almost 2 years ago
- Status changed from Closed to Assigned
Reopening because of new variant found by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55434
Updated by Philippe Antoine almost 2 years ago
- File repro3.pcap repro3.pcap added
Here is the new variant reproducer
Command line has -k none -c suricata.yaml --set stream.midstream=true
And this is using emerging threats rules
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Updated by Victor Julien over 1 year ago
- Status changed from Assigned to Closed