Bug #5526: tcp: Assertion failed: (!((last_ack_abs < left_edge && StreamTcpInlineMode() == 0 && !f->ffr && ssn->state < TCP_CLOSED))) - Suricata - Open Information Security Foundation

Actions

Bug #5526

closed

tcp: Assertion failed: (!((last_ack_abs < left_edge && StreamTcpInlineMode() == 0 && !f->ffr && ssn->state < TCP_CLOSED)))

Added by Philippe Antoine over 1 year ago. Updated 10 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50784

Reproducer is with rule
alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)

Cmd line is
./suricata -c suricata.yaml -k none -r repro.pcap -S repro.rules

Files

Download all files

repro.pcap (325 KB) repro.pcap		Philippe Antoine, 08/31/2022 12:45 PM
repro2.pcap (218 KB) repro2.pcap		Philippe Antoine, 01/16/2023 12:25 PM
repro3.pcap (289 Bytes) repro3.pcap		Philippe Antoine, 01/30/2023 09:43 AM

Related issues 1 (0 open — 1 closed)

Actions

#1

Updated by Philippe Antoine over 1 year ago

Reproducer was obtained with python

import sys
f = open(sys.argv[1], "rb")
data = f.read()
f.close()

sep = data.find(0)
f = open("repro.rules", "wb")
f.write(data[:sep])
f.close()
f = open("repro.pcap", "wb")
f.write(data[sep+1:])
f.close()

Actions

#2

Updated by Victor Julien over 1 year ago

Status changed from New to Assigned
Priority changed from Normal to High
Target version changed from 7.0.0-beta1 to 7.0.0-rc1

Actions

#3

Updated by Philippe Antoine over 1 year ago

Regression range is quite small : 50f877912861360f0461acd05acd7b7b51f9fd0f...1bff888947345505c773ab07337546aa72e95d16

Actions

#4

Updated by Philippe Antoine over 1 year ago

commit f04b7a1827845d72b4d0c12f76eadfcc77d726cf introduced the debug assertion and the bug

Actions

#5

Updated by Philippe Antoine over 1 year ago

Related to Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON) added

Actions

#6

Updated by Philippe Antoine over 1 year ago

Bug still present even if oss-fuzz closed it

Actions

#7

Updated by Victor Julien over 1 year ago

Was just looking today and noticed it indeed didn't reproduce. Do you have a new reproducer?

Actions

#8

Updated by Philippe Antoine over 1 year ago

I use the same reproducer today
Suricata is at commit 55c4834e4e9b14a441b735f84d8d35b4eb151702

There must another difference in system/libpcap...

Actions

#9

Updated by Philippe Antoine over 1 year ago

File repro2.pcap repro2.pcap added

Better luck reproducing with this single flow pcap ?

Actions

#10

Updated by Victor Julien over 1 year ago

Target version changed from 7.0.0-rc1 to 7.0.0-rc2

Actions

#11

Updated by Philippe Antoine over 1 year ago

Status changed from Assigned to Closed
Target version changed from 7.0.0-rc2 to 7.0.0-rc1

Accidentally fixed by commit 1dac2467c5b9c22ed20f121717960eaf4068d303

Actions

#12

Updated by Philippe Antoine over 1 year ago

Status changed from Closed to Assigned

Reopening because of new variant found by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55434

Actions

#13

Updated by Philippe Antoine over 1 year ago

File repro3.pcap repro3.pcap added

Here is the new variant reproducer

Command line has -k none -c suricata.yaml --set stream.midstream=true

And this is using emerging threats rules

Actions

#14

Updated by Victor Julien over 1 year ago

Target version changed from 7.0.0-rc1 to 7.0.0-rc2

Actions

#15

Updated by Victor Julien almost 1 year ago

Status changed from Assigned to Closed

https://github.com/OISF/suricata/commit/5903ca624e0f93a3ee762ae6f06f97cf2a63868d

Actions

#16

Updated by Victor Julien almost 1 year ago

Priority changed from High to Normal

Actions

#17

Updated by Victor Julien 10 months ago

Private changed from Yes to No

Actions

Also available in: Atom PDF