Project

General

Profile

Actions

Bug #56

closed

Processing the attached pcap causes segv inside of AppLayerHandleMsg looks similar to bug #41

Added by Will Metcalf almost 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

ulimit c unlimited; src/suricata -c ../suricata117.yaml -r ./defconsegv-fuzz-2010-01-11-15-52-59.pcap -l ./
TmModuleReceivePcapFileRegister: datalink 1
[17772] 11/1/2010 -
16:35:51 - (tm-threads.c:1141) <Info> (TmThreadWaitOnThreadInit) -- all 6 packet processing threads, 3 management threads initialized, engine started.
TmqDebugList: id 0, name 'pickup-queue', len 43
TmqDebugList: id 1, name 'decode-queue1', len 7
TmqDebugList: id 2, name 'stream-queue1', len 0
TmqDebugList: id 3, name 'alert-queue1', len 0
Segmentation fault (core dumped)

coz@coz-desktop:~/downloads/suricatafuzz1$ gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /home/coz/downloads/suricatafuzz1/src/suricata...done.
[New Thread 17773]
[New Thread 17777]
[New Thread 17776]
[New Thread 17774]
[New Thread 17779]
[New Thread 17772]
[New Thread 17781]
[New Thread 17778]
[New Thread 17780]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `src/suricata c ../suricata117.yaml -r ./defconsegv-fuzz-2010-01-11-15-52-59.pc'.
Program terminated with signal 11, Segmentation fault.
#0 0x000000000049312a in AppLayerHandleMsg (dp_ctx=0x207c588, smsg=0x30fb0f0, need_lock=0 '\000') at app-layer-detect-proto.c:336
336 TcpSession *ssn = smsg
>flow->protoctx;
(gdb) bt full
#0 0x000000000049312a in AppLayerHandleMsg (dp_ctx=0x207c588, smsg=0x30fb0f0, need_lock=0 '\000') at app-layer-detect-proto.c:336
alproto = 0
r = 0
ssn = 0x30aefa0
#1 0x0000000000487a6a in StreamTcpReassembleProcessAppLayer (ra_ctx=0x207c580) at stream-tcp-reassemble.c:1505
smsg = 0x30fb0f0
r = 0
#2 0x0000000000482f3c in StreamTcpPacket (tv=0x207b440, p=0x1ab9750, stt=0x23a27e0) at stream-tcp.c:2407
ssn = 0x30aefa0
#3 0x0000000000482fd6 in StreamTcp (tv=0x207b440, p=0x1ab9750, data=0x23a27e0, pq=0x207ba30) at stream-tcp.c:2425
stt = 0x23a27e0
ret = TM_ECODE_OK
#4 0x0000000000474e90 in TmThreadsSlot1 (td=0x207b440) at tm-threads.c:325
tv = 0x207b440
s = 0x207ba00
p = 0x1ab9750
run = 1 '\001'
r = TM_ECODE_OK
#5 0x00007fc812101a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fc810421910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140497242954000, -2668557609720282638, 140737194254704, 0, 0, 3, 2695193795738534386, 2695198622988960242}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#6 0x00007fc811a1c7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#7 0x0000000000000000 in ?? ()
No symbol table info available.


Files

defconsegv-fuzz-2010-01-11-15-52-59.pcap (12.3 KB) defconsegv-fuzz-2010-01-11-15-52-59.pcap defcon17ctf fuzzed pcap segv inside of AppLayerHandleMsg Will Metcalf, 01/11/2010 04:18 PM
0001-bug-56-patch.patch (3.42 KB) 0001-bug-56-patch.patch Gurvinder Singh, 01/12/2010 02:53 AM
Actions #1

Updated by Gurvinder Singh almost 15 years ago

The segv was caused due to the wrong payload_len calculation. The patch has been attached and a unit test is also included to test this condition.

Actions #2

Updated by Victor Julien almost 15 years ago

  • Status changed from Resolved to Closed

Patch applied, thanks guys.

Actions

Also available in: Atom PDF