Project

General

Profile

Actions

Bug #5526

closed

tcp: Assertion failed: (!((last_ack_abs < left_edge && StreamTcpInlineMode() == 0 && !f->ffr && ssn->state < TCP_CLOSED)))

Added by Philippe Antoine over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50784

Reproducer is with rule
alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)

Cmd line is
./suricata -c suricata.yaml -k none -r repro.pcap -S repro.rules


Files

repro.pcap (325 KB) repro.pcap Philippe Antoine, 08/31/2022 12:45 PM
repro2.pcap (218 KB) repro2.pcap Philippe Antoine, 01/16/2023 12:25 PM
repro3.pcap (289 Bytes) repro3.pcap Philippe Antoine, 01/30/2023 09:43 AM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON)ClosedVictor JulienActions
Actions #1

Updated by Philippe Antoine over 2 years ago

Reproducer was obtained with python

import sys
f = open(sys.argv[1], "rb")
data = f.read()
f.close()

sep = data.find(0)
f = open("repro.rules", "wb")
f.write(data[:sep])
f.close()
f = open("repro.pcap", "wb")
f.write(data[sep+1:])
f.close()
Actions #2

Updated by Victor Julien about 2 years ago

  • Status changed from New to Assigned
  • Priority changed from Normal to High
  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #3

Updated by Philippe Antoine about 2 years ago

Regression range is quite small : 50f877912861360f0461acd05acd7b7b51f9fd0f...1bff888947345505c773ab07337546aa72e95d16

Actions #4

Updated by Philippe Antoine about 2 years ago

commit f04b7a1827845d72b4d0c12f76eadfcc77d726cf introduced the debug assertion and the bug

Actions #5

Updated by Philippe Antoine about 2 years ago

  • Related to Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON) added
Actions #6

Updated by Philippe Antoine almost 2 years ago

Bug still present even if oss-fuzz closed it

Actions #7

Updated by Victor Julien almost 2 years ago

Was just looking today and noticed it indeed didn't reproduce. Do you have a new reproducer?

Actions #8

Updated by Philippe Antoine almost 2 years ago

I use the same reproducer today
Suricata is at commit 55c4834e4e9b14a441b735f84d8d35b4eb151702

There must another difference in system/libpcap...

Actions #9

Updated by Philippe Antoine almost 2 years ago

Better luck reproducing with this single flow pcap ?

Actions #10

Updated by Victor Julien almost 2 years ago

  • Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Actions #11

Updated by Philippe Antoine almost 2 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 7.0.0-rc2 to 7.0.0-rc1

Accidentally fixed by commit 1dac2467c5b9c22ed20f121717960eaf4068d303

Actions #12

Updated by Philippe Antoine almost 2 years ago

  • Status changed from Closed to Assigned

Reopening because of new variant found by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55434

Actions #13

Updated by Philippe Antoine almost 2 years ago

Here is the new variant reproducer

Command line has -k none -c suricata.yaml --set stream.midstream=true

And this is using emerging threats rules

Actions #14

Updated by Victor Julien almost 2 years ago

  • Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Actions #16

Updated by Victor Julien over 1 year ago

  • Priority changed from High to Normal
Actions #17

Updated by Victor Julien over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF