Actions
Security #5701
closedSuricata crashes while processing FTP
Git IDs:
Severity:
MODERATE
Disclosure Date:
Description
Auric
Thread 1 (Thread 0x7f83e9cff640 (LWP 42276)): #0 core::cmp::impls::{{impl}}::ne (self=<optimized out>, other=<optimized out>) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/cmp.rs:1177 No locals. #1 core::cmp::impls::{{impl}}::ne<u8,u8> (self=<optimized out>, other=<optimized out>) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/cmp.rs:1346 No locals. #2 nom::traits::{{impl}}::compare::{{closure}} () at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/traits.rs:659 a = <optimized out> b = <optimized out> #3 core::iter::traits::iterator::Iterator::position::check::{{closure}}<(&u8, &u8),closure-0> (i=<optimized out>, x=...) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/iter/traits/iterator.rs:2479 predicate = <optimized out> #4 core::iter::traits::iterator::Iterator::try_fold<core::iter::adapters::zip::Zip<core::slice::iter::Iter<u8>, core::slice::iter::Iter<u8>>,usize,closure-0,core::ops::control_flow::ControlFlow<usize, usize>> (self=<optimized out>, init=0, f=...) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/iter/traits/iterator.rs:1982 x = (0x0, <synthetic pointer>) accum = <optimized out> accum = <optimized out> x = <optimized out> err = <optimized out> val = <optimized out> #5 core::iter::traits::iterator::Iterator::position<core::iter::adapters::zip::Zip<core::slice::iter::Iter<u8>, core::slice::iter::Iter<u8>>,closure-0> (self=<optimized out>, predicate=...) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/iter/traits/iterator.rs:2483 No locals. #6 nom::traits::{{impl}}::compare (self=<optimized out>, t=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/traits.rs:659 pos = <error reading variable pos (Cannot access memory at address 0x0)> #7 nom::traits::{{impl}}::compare (self=<optimized out>, t=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/traits.rs:714 No locals. #8 nom::bytes::streaming::tag::{{closure}}<&str,&[u8],(&[u8], nom::error::ErrorKind)> (i=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/bytes/streaming.rs:37 t = <error reading variable> tag_len = 4 tag = <optimized out> tag_len = <optimized out> t = <optimized out> res = <error reading variable res (Cannot access memory at address 0x0)> e = <optimized out> #9 suricata::ftp::ftp_active_port (i=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/combinator/macros.rs:124 No locals. #10 0x000055ef4e9360e5 in suricata::ftp::rs_ftp_active_port (input=0x0, len=<optimized out>) at src/ftp/mod.rs:81 buf = &[u8] {data_ptr: 0x4, length: 25} #11 0x000055ef4e79b19d in FTPParseResponse (f=0x7f7df446e380, ftp_state=0x7f82475e3480, pstate=<optimized out>, input=<optimized out>, input_len=<optimized out>, local_data=<optimized out>, flags=<optimized out>) at app-layer-ftp.c:818 tx = 0x7f828edfb600 dyn_port = <optimized out> state = 0x7f82475e3480 lasttx = 0x7f828edfb600 #12 0x000055ef4e7a72b6 in AppLayerParserParse (tv=tv@entry=0x7f844ce40fc0, alp_tctx=0x7f83e7c9c800, f=f@entry=0x7f7df446e380, alproto=2, flags=flags@entry=8 '\b', input=input@entry=0x7f7617e3a63d <removed>..., input_len=30) at app-layer-parser.c:1285 res = <optimized out> pstate = 0x7f75793d9500 p = <optimized out> alstate = 0x7f82475e3480 p_tx_cnt = 238 consumed = 30 direction = 1 cur_tx_cnt = <optimized out> #13 0x000055ef4e780cdc in AppLayerHandleTCPData (tv=tv@entry=0x7f844ce40fc0, ra_ctx=ra_ctx@entry=0x7f83e7cd8000, p=p@entry=0x7f83e7c73600, f=0x7f7df446e380, ssn=ssn@entry=0x7f83e7dede00, stream=stream@entry=0x7f83e9cfaff8, data=0x7f7617e3a63d <removed>..., data_len=30, flags=8 '\b') at app-layer.c:709 app_tctx = <optimized out> alproto = <optimized out> r = 0 direction = 1 failure = <optimized out> #14 0x000055ef4e88f5e9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f83e7c73600, stream=0x7f83e9cfaff8, ssn=0x7f83e7dede00, ra_ctx=0x7f83e7cd8000, tv=0x7f844ce40fc0) at stream-tcp-reassemble.c:1190 flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> mydata = 0x7f7617e3a63d <removed>... mydata_len = 30 app_progress = 9397 gap_ahead = <optimized out> last_was_gap = false app_progress = <optimized out> mydata = <optimized out> mydata_len = <optimized out> gap_ahead = <optimized out> last_was_gap = <optimized out> flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> r = <optimized out> no_progress_update = <optimized out> #15 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f844ce40fc0, ra_ctx=ra_ctx@entry=0x7f83e7cd8000, ssn=ssn@entry=0x7f83e7dede00, stream=<optimized out>, stream@entry=0x7f83e7dede10, p=p@entry=0x7f83e7c73600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1253 No locals. #16 0x000055ef4e8904da in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1822 No locals. #17 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f844ce40fc0, ra_ctx=0x7f83e7cd8000, ssn=ssn@entry=0x7f83e7dede00, stream=0x7f83e7dede98, p=p@entry=0x7f83e7c73600, pq=pq@entry=0x7f83e7cd7008) at stream-tcp-reassemble.c:1871 opposing_stream = 0x7f83e7dede10 reversed_before_ack_handling = <optimized out> reversed_after_ack_handling = <optimized out> dir = UPDATE_DIR_OPPOSING #18 0x000055ef4e883bd2 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2469 zerowindowprobe = <optimized out> zerowindowprobe = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> sacked_size__ = <optimized out> #19 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, stt=stt@entry=0x7f83e7cd7000, ssn=ssn@entry=0x7f83e7dede00, pq=0x7f83e7cd7008) at stream-tcp.c:2702 No locals. #20 0x000055ef4e889751 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f83e7cd7008, ssn=0x7f83e7dede00, stt=0x7f83e7cd7000, p=0x7f83e7c73600, tv=0x7f844ce40fc0) at stream-tcp.c:4711 No locals. #21 StreamTcpPacket (tv=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, stt=stt@entry=0x7f83e7cd7000, pq=0x7f83e7caa030) at stream-tcp.c:4896 ssn = 0x7f83e7dede00 error = <optimized out> #22 0x000055ef4e889cff in StreamTcp (tv=tv@entry=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, data=0x7f83e7cd7000, pq=pq@entry=0x7f83e7caa030) at stream-tcp.c:5234 stt = 0x7f83e7cd7000 #23 0x000055ef4e83f040 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f83e738b000, p=0x7f83e7c73600, fw=0x7f83e7caa000, tv=0x7f844ce40fc0) at flow-worker.c:370 x = <optimized out> x = <optimized out> #24 FlowWorker (tv=0x7f844ce40fc0, p=0x7f83e7c73600, data=0x7f83e7caa000) at flow-worker.c:535 fw = 0x7f83e7caa000 detect_thread = 0x7f83e738b000 #25 0x000055ef4e89815f in TmThreadsSlotVarRun (tv=tv@entry=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, slot=<optimized out>) at tm-threads.c:127 r = <optimized out> s = 0x7f844df7d6c0 #26 0x000055ef4e876641 in TmThreadsSlotProcessPkt (p=0x7f83e7c73600, s=<optimized out>, tv=0x7f844ce40fc0) at tm-threads.h:195 r = <optimized out> r = <optimized out> #27 NapatechPacketLoop (tv=0x7f844ce40fc0, data=0x7f83e8d7d000, slot=<optimized out>) at source-napatech.c:1070
Updated by Jeff Lucovsky about 2 years ago
Suricata crashed while processing an FTP session.
Updated by Victor Julien about 2 years ago
- Status changed from New to Assigned
- Priority changed from Normal to High
Updated by Philippe Antoine almost 2 years ago
I see one way to trigger this :
- First FTP_COMMAND_PORT
request allocates state->port_line
and sets state->port_line_len
: everything is fine so far
- Another request tries to realloc but fails due to memcap : it resets state->port_line
but not state->port_line_len
- A response calls rs_ftp_active_port(NULL, 25);
Fix is like
diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c
index 61a7566ee..be8787a90 100644
--- a/src/app-layer-ftp.c
+++ b/src/app-layer-ftp.c
@@ -647,6 +647,7 @@ static AppLayerResult FTPParseRequest(Flow *f, void *ftp_state,
FTPFree(state->port_line, state->port_line_size);
state->port_line = NULL;
state->port_line_size = 0;
+ state->port_line_len = 0;
}
SCReturnStruct(APP_LAYER_OK);
}
I should craft a S-V test first...
Updated by Philippe Antoine almost 2 years ago
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 7.0.0-rc1
- Label Needs backport added
Updated by Philippe Antoine almost 2 years ago
Updated by Philippe Antoine almost 2 years ago
Open question : how should have fuzzing found it ? What value of memcap is good here ?..
Updated by Philippe Antoine almost 2 years ago
- Status changed from In Review to Resolved
Updated by Victor Julien almost 2 years ago
- Status changed from Resolved to Closed
Updated by Philippe Antoine almost 2 years ago
- Related to Security #5851: rust: handle allocation failures added
Actions