Security #5700
closedSCRealloc of large chunk crashes Suricata
Description
SCRealloc with a request size of 2940207104 crashes the memory allocator within Suricata (jemalloc).
The stack shows that Suricata was processing SMB traffic
The stack with the Suricata (but not the memory allocator):
#17 0x000055b30661018c in SCReallocFunc (ptr=ptr@entry=0x7f3b58400e00, size=size@entry=2940207104) at util-mem.c:44 ptrmem = <optimized out> __FUNCTION__ = <removed> #18 0x000055b30662d638 in Grow (sb=0x7f3e435ff8c0) at util-streaming-buffer.c:496 grow = 2940207104 ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> grow = <optimized out> ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> #19 StreamingBufferAppendNoTrack (sb=0x7f3e435ff8c0, data=0x7f3b55c005b4 <removed>..., data_len=20648) at util-streaming-buffer.c:649 rel_offset = <optimized out> #20 0x000055b306608253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f3e41d10900) at util-file.c:610 No locals. #21 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f3e41d10900) at util-file.c:701 r = <optimized out> r = <optimized out> #22 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f3e41d10900) at util-file.c:650 r = <optimized out> r = <optimized out> #23 FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757 r = <optimized out> ff = 0x7f3e41d10900 #24 0x000055b3066e0561 in suricata::filecontainer::FileContainer::file_append (self=0x7f3e41ce20f0, track_id=0x7f3e41da8cc8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77 c = 0x0 #25 suricata::filetracker::FileTransferTracker::update (self=0x7f3e41da8c70, files=0x7f3e41ce20f0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307 is_gap = <optimized out> consumed = 0 #26 0x000055b30669efcc in suricata::smb::files::filetracker_newchunk (ft=0x7f3e41da8c70, files=0x7f3e41ce20f0, flags=<optimized out>, name=<optimized out>, data=..., chunk_offset=<optimized out>, chunk_size=<optimized out>, is_last=false, xid=<optimized out>) at src/smb/files.rs:90 sfcm = 0x6a7f3e9cc0a700 #27 suricata::smb::smb2::smb2_write_request_record (state=0x7f3e41ce2000, r=<optimized out>) at src/smb/smb2.rs:314 file_id = <optimized out> tdf = <optimized out> tx = <optimized out> files = 0x7f3e41ce20f0 flags = <optimized out> set_event_fileoverlap = false file_name = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x1e40034000011, _marker: core::marker::PhantomData<u8>}, cap: 139904264699933, alloc: alloc::alloc::Global}, len: 16} file_guid = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x0, _marker: core::marker::PhantomData<u8>}, cap: 139905408674552, alloc: alloc::alloc::Global}, len: 94227395112323} guid_key = suricata::smb::smb::SMBCommonHdr {ssn_id: <optimized out>, tree_id: <optimized out>, rec_type: 1, msg_id: <optimized out>} wr = suricata::smb::smb2_records::Smb2WriteRequestRecord {wr_len: <synthetic pointer>, wr_offset: <optimized out>, guid: &[u8] {data_ptr: <optimized out>, length: <optimized out>}, data: &[u8] {data_ptr: <optimized out>, length: 20648}} max_queue_cnt = <optimized out> max_queue_size = <optimized out> #28 0x000055b30671fea4 in suricata::smb::smb::SMBState::parse_tcp_data_ts_partial (self=0x7f3e41ce2000, input=...) at src/smb/smb.rs:1353 smb_record = 0x6a7f3e9cc0a700 smb = <optimized out> nbss_part_hdr = <optimized out> output = <optimized out> #29 0x000055b306720587 in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f3e41ce2000, i=...) at src/smb/smb.rs:1511 n = <optimized out> needed = <error reading variable needed (Cannot access memory at address 0x0)> consumed = <optimized out> consumed = <optimized out> cur_i = &[u8] {data_ptr: 0x7f3b55c00540, length: 20764} #30 0x000055b306721782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f3e2352a580, state=state@entry=0x7f3e41ce2000, _pstate=_pstate@entry=0x7f3e41d1cd00, input=input@entry=0x7f3b55c00540, input_len=input_len@entry=20764, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901 buf = &[u8] {data_ptr: 0x7f3b55c00540, length: 20764} #31 0x000055b3064fe6bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=20764, input=0x7f3b55c00540 "", pstate=0x7f3e41d1cd00, state=0x7f3e41ce2000, f=0x7f3e2352a580) at app-layer-smb.c:46 res = {status = 0, consumed = 0, needed = 1} file_flags = <optimized out> res = <optimized out> #32 SMBTCPParseRequest (f=0x7f3e2352a580, state=0x7f3e41ce2000, pstate=0x7f3e41d1cd00, input=0x7f3b55c00540 "", input_len=20764, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33 file_flags = <optimized out> res = <optimized out> #33 0x000055b3064fd496 in AppLayerParserParse (tv=tv@entry=0x7f3e9e329580, alp_tctx=0x7f3e41939800, f=f@entry=0x7f3e2352a580, alproto=8, flags=4 '\004', input=input@entry=0x7f3b55c00540 "", input_len=20764) at app-layer-parser.c:1310 res = <optimized out> pstate = 0x7f3e41d1cd00 p = <optimized out> alstate = 0x7f3e41ce2000 p_tx_cnt = 40 consumed = 20764 direction = 0 cur_tx_cnt = <optimized out> #34 0x000055b3064d6d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f3e9e329580, ra_ctx=ra_ctx@entry=0x7f3e437ff040, p=p@entry=0x7f3e4191a600, f=0x7f3e2352a580, ssn=ssn@entry=0x7f3e41cbe240, stream=stream@entry=0x7f3e442faff8, data=0x7f3b55c00540 "", data_len=20764, flags=4 '\004') at app-layer.c:724 app_tctx = <optimized out> alproto = <optimized out> r = 0 end = <optimized out> direction = 0 failure = <optimized out> #35 0x000055b3065e5cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f3e4191a600, stream=0x7f3e442faff8, ssn=0x7f3e41cbe240, ra_ctx=0x7f3e437ff040, tv=0x7f3e9e329580) at stream-tcp-reassemble.c:1202 flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> mydata = 0x7f3b55c00540 "" mydata_len = 20764 app_progress = 2883182952 gap_ahead = <optimized out> last_was_gap = false app_progress = <optimized out> mydata = <optimized out> mydata_len = <optimized out> gap_ahead = <optimized out> last_was_gap = <optimized out> flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> r = <optimized out> no_progress_update = <optimized out> #36 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f3e9e329580, ra_ctx=ra_ctx@entry=0x7f3e437ff040, ssn=ssn@entry=0x7f3e41cbe240, stream=<optimized out>, stream@entry=0x7f3e41cbe2d8, p=p@entry=0x7f3e4191a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265 No locals. #37 0x000055b3065e6ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834 No locals. #38 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f3e9e329580, ra_ctx=0x7f3e437ff040, ssn=ssn@entry=0x7f3e41cbe240, stream=0x7f3e41cbe250, p=p@entry=0x7f3e4191a600, pq=pq@entry=0x7f3e435ff048) at stream-tcp-reassemble.c:1883 opposing_stream = 0x7f3e41cbe2d8 reversed_before_ack_handling = <optimized out> reversed_after_ack_handling = <optimized out> dir = UPDATE_DIR_OPPOSING #39 0x000055b3065da252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502 zerowindowprobe = <optimized out> zerowindowprobe = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> sacked_size__ = <optimized out> #40 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, stt=stt@entry=0x7f3e435ff040, ssn=ssn@entry=0x7f3e41cbe240, pq=0x7f3e435ff048) at stream-tcp.c:2735 No locals. #41 0x000055b3065dfe31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f3e435ff048, ssn=0x7f3e41cbe240, stt=0x7f3e435ff040, p=0x7f3e4191a600, tv=0x7f3e9e329580) at stream-tcp.c:4744 No locals. #42 StreamTcpPacket (tv=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, stt=stt@entry=0x7f3e435ff040, pq=0x7f3e4193d030) at stream-tcp.c:4929 ssn = 0x7f3e41cbe240 error = <optimized out> #43 0x000055b3065e03df in StreamTcp (tv=tv@entry=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, data=0x7f3e435ff040, pq=pq@entry=0x7f3e4193d030) at stream-tcp.c:5270 stt = 0x7f3e435ff040 #44 0x000055b3065955a0 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f3e41cd0000, p=0x7f3e4191a600, fw=0x7f3e4193d000, tv=0x7f3e9e329580) at flow-worker.c:370 x = <optimized out> x = <optimized out> #45 FlowWorker (tv=0x7f3e9e329580, p=0x7f3e4191a600, data=0x7f3e4193d000) at flow-worker.c:535 fw = 0x7f3e4193d000 detect_thread = 0x7f3e41cd0000 #46 0x000055b3065ee9cf in TmThreadsSlotVarRun (tv=tv@entry=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, slot=<optimized out>) at tm-threads.c:127 r = <optimized out> s = 0x7f3e9f4a52c0 #47 0x000055b3065cccf1 in TmThreadsSlotProcessPkt (p=0x7f3e4191a600, s=<optimized out>, tv=0x7f3e9e329580) at tm-threads.h:195 r = <optimized out> r = <optimized out> #48 NapatechPacketLoop (tv=0x7f3e9e329580, data=0x7f3e4191b000, slot=<optimized out>) at source-napatech.c:1070 p = 0x7f3e4191a600 status = <optimized out> error_buffer = <removed>, '\000' <repeats 11 times>, <removed> pkt_ts = <optimized out> packet_buffer = 0x7f3e78811a00 ntv = 0x7f3e4191b000 hba_pkt_drops = 0 hba_byte_drops = 0 numa_node = <optimized out> set_cpu_affinity = 0 closer = 0 is_autoconfig = 0 __FUNCTION__ = <removed> s = <optimized out> #49 0x000055b3065f05f7 in TmThreadsSlotPktAcqLoop (td=0x7f3e9e329580) at tm-threads.c:322 tv = 0x7f3e9e329580 s = 0x7f3e9f4a5240 run = 1 '\001' r = <optimized out> slot = 0x0 __FUNCTION__ = <removed> #50 0x00007f3ea1ebb37e in start_thread (arg=0x7f3e442ff640) at pthread_create.c:463 ret = <optimized out> pd = 0x7f3e442ff640 unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139905408693824, -7709624411948685753, 140730008245022, 0, 140730008245023, 139905408693824, 7745453786463626823, 7745253092130973255}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = 0 #51 0x00007f3ea25fcb8f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 No locals.
Updated by Jeff Lucovsky about 2 years ago
And another occurrence (with a similar request size)
#17 0x000056282e3cd20c in SCReallocFunc (ptr=ptr@entry=0x7feca720a340, size=size@entry=21921792) at util-mem.c:44 ptrmem = <optimized out> __FUNCTION__ = <removed> #18 0x000056282e3ea6b8 in Grow (sb=0x7fea606752c0) at util-streaming-buffer.c:496 grow = 21921792 ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> grow = <optimized out> ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> #19 StreamingBufferAppendNoTrack (sb=0x7fea606752c0, data=0x7fde46763140 <removed>, <incomplete sequence \371\227>..., data_len=2760) at util-streaming-buffer.c:649 rel_offset = <optimized out> #20 0x000056282e3c52e3 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7feff4188c00) at util-file.c:610 No locals. #21 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7feff4188c00) at util-file.c:701 r = <optimized out> r = <optimized out> #22 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7feff4188c00) at util-file.c:650 r = <optimized out> r = <optimized out> #23 FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757 r = <optimized out> ff = 0x7feff4188c00 #24 0x000056282e49d531 in suricata::filecontainer::FileContainer::file_append (self=0x7fed72b27100, track_id=0x7fe78d707778, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77 c = 0x19d78 #25 suricata::filetracker::FileTransferTracker::update (self=0x7fe78d707720, files=0x7fed72b27100, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307 is_gap = <optimized out> consumed = 0 #26 0x000056282e4e089f in suricata::smb::smb::SMBState::filetracker_update (self=<optimized out>, direction=<optimized out>, data=..., gap_size=1140876500) at src/smb/files.rs:214 file_data = &[u8] {data_ptr: 0x7fde46763140, length: 2760} tdf = <optimized out> tx = <optimized out> files = 0x7fed72b27100 flags = 8790 ssn_gap = <optimized out> data_to_handle_len = 2760 file_handle = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x7fee6b44f120, _marker: core::marker::PhantomData<u8>}, cap: 16, alloc: alloc::alloc::Global}, len: 16} chunk_left = <optimized out> #27 0x000056282e4dda7c in suricata::smb::smb::SMBState::parse_tcp_data_tc (self=0x7fed72b27000, i=...) at src/smb/smb.rs:1638 consumed = <optimized out> cur_i = &[u8] {data_ptr: 0x7fde46763140, length: 2760} #28 0x000056282e4de7f2 in suricata::smb::smb::rs_smb_parse_response_tcp (flow=flow@entry=0x7fee10a25880, state=state@entry=0x7fed72b27000, _pstate=_pstate@entry=0x7fee4fea8520, input=input@entry=0x7fde46763140, input_len=input_len@entry=2760, _data=_data@entry=0x0, flags=8) at src/smb/smb.rs:1933 buf = &[u8] {data_ptr: 0x7fde46763140, length: 2760} #29 0x000056282e2bc3fc in SMBTCPParseResponse (flags=8 '\b', local_data=0x0, input_len=2760, input=0x7fde46763140 <removed>, <incomplete sequence \371\227>..., pstate=0x7fee4fea8520, state=0x7fed72b27000, f=0x7fee10a25880) at app-layer-smb.c:68 res = {status = 0, consumed = 0, needed = 0} file_flags = <optimized out> res = <optimized out> #30 SMBTCPParseResponse (f=0x7fee10a25880, state=0x7fed72b27000, pstate=0x7fee4fea8520, input=0x7fde46763140 <removed>, <incomplete sequence \371\227>..., input_len=2760, local_data=0x0, flags=8 '\b') at app-layer-smb.c:54 file_flags = <optimized out> res = <optimized out> #31 0x000056282e2bb2b6 in AppLayerParserParse (tv=tv@entry=0x7ff03e657200, alp_tctx=0x7fefc888e800, f=f@entry=0x7fee10a25880, alproto=8, flags=flags@entry=8 '\b', input=input@entry=0x7fde46763140 <removed>, <incomplete sequence \371\227>..., input_len=2760) at app-layer-parser.c:1285 res = <optimized out> pstate = 0x7fee4fea8520 p = <optimized out> alstate = 0x7fed72b27000 p_tx_cnt = 25114 consumed = 2760 direction = 1 cur_tx_cnt = <optimized out> #32 0x000056282e294cdc in AppLayerHandleTCPData (tv=tv@entry=0x7ff03e657200, ra_ctx=ra_ctx@entry=0x7fefc9dfe040, p=p@entry=0x7fefc8873600, f=0x7fee10a25880, ssn=ssn@entry=0x7fee4fd616c0, stream=stream@entry=0x7fefca8faff8, data=0x7fde46763140 <removed>, <incomplete sequence \371\227>..., data_len=2760, flags=8 '\b') at app-layer.c:709 app_tctx = <optimized out> alproto = <optimized out> r = 0 direction = 1 failure = <optimized out> #33 0x000056282e3a35e9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7fefc8873600, stream=0x7fefca8faff8, ssn=0x7fee4fd616c0, ra_ctx=0x7fefc9dfe040, tv=0x7ff03e657200) at stream-tcp-reassemble.c:1190 flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> mydata = 0x7fde46763140 <removed>, <incomplete sequence \371\227>... mydata_len = 2760 app_progress = 436264855 gap_ahead = <optimized out> last_was_gap = false app_progress = <optimized out> mydata = <optimized out> mydata_len = <optimized out> gap_ahead = <optimized out> last_was_gap = <optimized out> flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> r = <optimized out> no_progress_update = <optimized out> #34 StreamTcpReassembleAppLayer (tv=tv@entry=0x7ff03e657200, ra_ctx=ra_ctx@entry=0x7fefc9dfe040, ssn=ssn@entry=0x7fee4fd616c0, stream=<optimized out>, stream@entry=0x7fee4fd616d0, p=p@entry=0x7fefc8873600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1253 No locals. #35 0x000056282e3a44da in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1822 No locals. #36 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7ff03e657200, ra_ctx=0x7fefc9dfe040, ssn=ssn@entry=0x7fee4fd616c0, stream=0x7fee4fd61758, p=p@entry=0x7fefc8873600, pq=pq@entry=0x7fefc9dff048) at stream-tcp-reassemble.c:1871 opposing_stream = 0x7fee4fd616d0 reversed_before_ack_handling = <optimized out> reversed_after_ack_handling = <optimized out> dir = UPDATE_DIR_OPPOSING #37 0x000056282e397bd2 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2469 zerowindowprobe = <optimized out> zerowindowprobe = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> sacked_size__ = <optimized out> #38 StreamTcpPacketStateEstablished (tv=tv@entry=0x7ff03e657200, p=p@entry=0x7fefc8873600, stt=stt@entry=0x7fefc9dff040, ssn=ssn@entry=0x7fee4fd616c0, pq=0x7fefc9dff048) at stream-tcp.c:2702 No locals. #39 0x000056282e39d751 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7fefc9dff048, ssn=0x7fee4fd616c0, stt=0x7fefc9dff040, p=0x7fefc8873600, tv=0x7ff03e657200) at stream-tcp.c:4711 No locals. #40 StreamTcpPacket (tv=0x7ff03e657200, p=p@entry=0x7fefc8873600, stt=stt@entry=0x7fefc9dff040, pq=0x7fefc8892030) at stream-tcp.c:4896 ssn = 0x7fee4fd616c0 error = <optimized out> #41 0x000056282e39dcff in StreamTcp (tv=tv@entry=0x7ff03e657200, p=p@entry=0x7fefc8873600, data=0x7fefc9dff040, pq=pq@entry=0x7fefc8892030) at stream-tcp.c:5234 stt = 0x7fefc9dff040 #42 0x000056282e353040 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7fefc7f25000, p=0x7fefc8873600, fw=0x7fefc8892000, tv=0x7ff03e657200) at flow-worker.c:370 x = <optimized out> x = <optimized out> #43 FlowWorker (tv=0x7ff03e657200, p=0x7fefc8873600, data=0x7fefc8892000) at flow-worker.c:535 fw = 0x7fefc8892000 detect_thread = 0x7fefc7f25000 #44 0x000056282e3ac15f in TmThreadsSlotVarRun (tv=tv@entry=0x7ff03e657200, p=p@entry=0x7fefc8873600, slot=<optimized out>) at tm-threads.c:127 r = <optimized out> s = 0x7ff040ea5cc0 #45 0x000056282e38a641 in TmThreadsSlotProcessPkt (p=0x7fefc8873600, s=<optimized out>, tv=0x7ff03e657200) at tm-threads.h:195 r = <optimized out>
Updated by Jeff Lucovsky about 2 years ago
And another
#17 0x00005605b85ea18c in SCReallocFunc (ptr=ptr@entry=0x7f367fafc9c0, size=size@entry=7442432) at util-mem.c:44 ptrmem = <optimized out> __FUNCTION__ = <removed> #18 0x00005605b8607638 in Grow (sb=0x7f40389c4680) at util-streaming-buffer.c:496 grow = 7442432 ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> grow = <optimized out> ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> #19 StreamingBufferAppendNoTrack (sb=0x7f40389c4680, data=0x7f36809cf140 <removed>, <incomplete sequence \351>..., data_len=3750) at util-streaming-buffer.c:649 rel_offset = <optimized out> #20 0x00005605b85e2253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f3feb165980) at util-file.c:610 No locals. #21 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f3feb165980) at util-file.c:701 r = <optimized out> r = <optimized out> #22 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f3feb165980) at util-file.c:650 r = <optimized out> r = <optimized out> #23 FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757 r = <optimized out> ff = 0x7f3feb165980 #24 0x00005605b86ba561 in suricata::filecontainer::FileContainer::file_append (self=0x7f418880b4f0, track_id=0x7f3feaeb8778, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77 c = 0x6 #25 suricata::filetracker::FileTransferTracker::update (self=0x7f3feaeb8720, files=0x7f418880b4f0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307 is_gap = <optimized out> consumed = 0 #26 0x00005605b86fd8ef in suricata::smb::smb::SMBState::filetracker_update (self=<optimized out>, direction=<optimized out>, data=..., gap_size=1) at src/smb/files.rs:214 file_data = &[u8] {data_ptr: 0x7f36809cf140, length: 3750} tdf = <optimized out> tx = <optimized out> files = 0x7f418880b4f0 flags = 8790 ssn_gap = <optimized out> data_to_handle_len = 3750 file_handle = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x7f41887c7450, _marker: core::marker::PhantomData<u8>}, cap: 16, alloc: alloc::alloc::Global}, len: 16} chunk_left = <optimized out> #27 0x00005605b86f9f7c in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f418880b400, i=...) at src/smb/smb.rs:1388 consumed = <optimized out> cur_i = &[u8] {data_ptr: 0x7f36809cf140, length: 3750} #28 0x00005605b86fb782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f3f4d587540, state=state@entry=0x7f418880b400, _pstate=_pstate@entry=0x7f401ac14540, input=input@entry=0x7f36809cf140, input_len=input_len@entry=3750, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901 buf = &[u8] {data_ptr: 0x7f36809cf140, length: 3750} #29 0x00005605b84d86bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=3750, input=0x7f36809cf140 <removed>, <incomplete sequence \351>..., pstate=0x7f401ac14540, state=0x7f418880b400, f=0x7f3f4d587540) at app-layer-smb.c:46 res = {status = 0, consumed = 0, needed = 0} file_flags = <optimized out> res = <optimized out> #30 SMBTCPParseRequest (f=0x7f3f4d587540, state=0x7f418880b400, pstate=0x7f401ac14540, input=0x7f36809cf140 <removed>, <incomplete sequence \351>..., input_len=3750, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33 file_flags = <optimized out> res = <optimized out> #31 0x00005605b84d7496 in AppLayerParserParse (tv=tv@entry=0x7f42303ccdc0, alp_tctx=0x7f4209739800, f=f@entry=0x7f3f4d587540, alproto=8, flags=4 '\004', input=input@entry=0x7f36809cf140 <removed>, <incomplete sequence \351>..., input_len=3750) at app-layer-parser.c:1310 res = <optimized out> pstate = 0x7f401ac14540 p = <optimized out> alstate = 0x7f418880b400 p_tx_cnt = 1161 consumed = 3750 direction = 0 cur_tx_cnt = <optimized out> #32 0x00005605b84b0d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f42303ccdc0, ra_ctx=ra_ctx@entry=0x7f4209742220, p=p@entry=0x7f420971a600, f=0x7f3f4d587540, ssn=ssn@entry=0x7f3f9a9ed900, stream=stream@entry=0x7f420c1faff8, data=0x7f36809cf140 <removed>, <incomplete sequence \351>..., data_len=3750, flags=4 '\004') at app-layer.c:724 app_tctx = <optimized out> alproto = <optimized out> r = 0 end = <optimized out> direction = 0 failure = <optimized out> #33 0x00005605b85bfcd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f420971a600, stream=0x7f420c1faff8, ssn=0x7f3f9a9ed900, ra_ctx=0x7f4209742220, tv=0x7f42303ccdc0) at stream-tcp-reassemble.c:1202 flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> mydata = 0x7f36809cf140 <removed>, <incomplete sequence \351>... mydata_len = 3750 app_progress = 9958146256 gap_ahead = <optimized out> last_was_gap = false app_progress = <optimized out> mydata = <optimized out> mydata_len = <optimized out> gap_ahead = <optimized out> last_was_gap = <optimized out> flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> r = <optimized out> no_progress_update = <optimized out> #34 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f42303ccdc0, ra_ctx=ra_ctx@entry=0x7f4209742220, ssn=ssn@entry=0x7f3f9a9ed900, stream=<optimized out>, stream@entry=0x7f3f9a9ed998, p=p@entry=0x7f420971a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265 No locals. #35 0x00005605b85c0ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834 No locals. #36 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f42303ccdc0, ra_ctx=0x7f4209742220, ssn=ssn@entry=0x7f3f9a9ed900, stream=0x7f3f9a9ed910, p=p@entry=0x7f420971a600, pq=pq@entry=0x7f420b3ff088) at stream-tcp-reassemble.c:1883 opposing_stream = 0x7f3f9a9ed998 reversed_before_ack_handling = <optimized out> reversed_after_ack_handling = <optimized out> dir = UPDATE_DIR_OPPOSING #37 0x00005605b85b4252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502 zerowindowprobe = <optimized out> zerowindowprobe = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> sacked_size__ = <optimized out> #38 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f42303ccdc0, p=p@entry=0x7f420971a600, stt=stt@entry=0x7f420b3ff080, ssn=ssn@entry=0x7f3f9a9ed900, pq=0x7f420b3ff088) at stream-tcp.c:2735 No locals. #39 0x00005605b85b9e31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f420b3ff088, ssn=0x7f3f9a9ed900, stt=0x7f420b3ff080, p=0x7f420971a600, tv=0x7f42303ccdc0) at stream-tcp.c:4744 No locals. #40 StreamTcpPacket (tv=0x7f42303ccdc0, p=p@entry=0x7f420971a600, stt=stt@entry=0x7f420b3ff080, pq=0x7f4209746030) at stream-tcp.c:4929 ssn = 0x7f3f9a9ed900 error = <optimized out> #41 0x00005605b85ba3df in StreamTcp (tv=tv@entry=0x7f42303ccdc0, p=p@entry=0x7f420971a600, data=0x7f420b3ff080, pq=pq@entry=0x7f4209746030) at stream-tcp.c:5270 stt = 0x7f420b3ff080 #42 0x00005605b856f5a0 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f4209ad5000, p=0x7f420971a600, fw=0x7f4209746000, tv=0x7f42303ccdc0) at flow-worker.c:370 x = <optimized out> x = <optimized out> #43 FlowWorker (tv=0x7f42303ccdc0, p=0x7f420971a600, data=0x7f4209746000) at flow-worker.c:535 fw = 0x7f4209746000 detect_thread = 0x7f4209ad5000 #44 0x00005605b85c89cf in TmThreadsSlotVarRun (tv=tv@entry=0x7f42303ccdc0, p=p@entry=0x7f420971a600, slot=<optimized out>) at tm-threads.c:127 r = <optimized out> s = 0x7f423249b000 #45 0x00005605b85a6cf1 in TmThreadsSlotProcessPkt (p=0x7f420971a600, s=<optimized out>, tv=0x7f42303ccdc0) at tm-threads.h:195
Updated by Victor Julien almost 2 years ago
- Related to Security #5703: smb: crash inside of streaming buffer Grow() added
Updated by Victor Julien almost 2 years ago
- Related to Bug #4863: suricata segfault on smb packet added
Updated by Philippe Antoine almost 2 years ago
I wonder if https://github.com/OISF/suricata/pull/8331 will help.
How come gap_size
value changes in the stack trace ? like
#25 suricata::filetracker::FileTransferTracker::update (self=0x7fe78d707720, files=0x7fed72b27100, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307 is_gap = <optimized out> consumed = 0 #26 0x000056282e4e089f in suricata::smb::smb::SMBState::filetracker_update (self=<optimized out>, direction=<optimized out>, data=..., gap_size=1140876500) at src/smb/files.rs:214
Scenario to reproduce this is have a pcap with a smb2 write, change its length in the SMB2 field to be really big, change the next packets to have a TCP sequence + ack numbers 1G later
Than in parse_tcp_data_ts_gap
, let gap = vec![0; new_gap_size as usize];
. should allocate big and make it pass through the util file append...
Updated by Philippe Antoine almost 2 years ago
But is there some mechanism to prevent a SMB file transfer over 1G to allocate over 1G in the streaming buffer of the file ?
Updated by Philippe Antoine almost 2 years ago
I have some 2Gbytes pcap that gets Warning: streaming-buffer: StreamingBuffer::Grow() tried to alloc 1084227584 bytes, exceeds limit of 1073741824 [util-streaming-buffer.c:499]
Should we work on this ?
Like why does Suricata need to store this in memory ?
Updated by Victor Julien almost 2 years ago
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 7.0.0-rc1
Updated by Victor Julien almost 2 years ago
- Related to Bug #4580: smb: large streams can cause large memory moves (memmove) added
Updated by Philippe Antoine almost 2 years ago
By the way, the line let gap = vec![0; new_gap_size as usize];
. looks suspicious to me...
Updated by Victor Julien almost 2 years ago
- Related to Optimization #5782: smb: set defaults for file chunk limits added
Updated by Victor Julien almost 2 years ago
- Related to Bug #5781: smb: unbounded file chunk queuing after gap added
Updated by Victor Julien almost 2 years ago
- Status changed from In Progress to Closed