Bug #59
closedProcessing the attached pcap causes segv in Defrag4Reassemble.
Description
ulimit c unlimited; src/suricata -c suricata.yaml -r ./fuzz-2009-07-13-16147.pcap-fuzz-2010-01-14-22-03-53-MIOP-5 -l ./ 23:25:21 - (alert-fastlog.c:230) <Info> (AlertFastLogInitCtx) -- Fast log output registered, filename: fast.log
...
RunModeFilePcap: file ./fuzz-2009-07-13-16147.pcap-fuzz-2010-01-14-22-03-53-MIOP-5
TmModuleReceivePcapFileRegister: datalink 1
[13713] 14/1/2010 -
[13713] 14/1/2010 -- 23:25:21 - (tm-threads.c:1141) <Info> (TmThreadWaitOnThreadInit) -- all 6 packet processing threads, 3 management threads initialized, engine started.
Segmentation fault (core dumped)
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `src/suricata c suricata.yaml -r ./fuzz-2009-07-13-16147.pcap-fuzz-2010-01-14-2'.>ip4h->ip_len + rp->ip4h->ip_off;
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004a66a6 in Defrag4Reassemble (tv=0xf35330, dc=0x2766e70, tracker=0x33e6e60, p=0xb0acf0) at defrag.c:767
767 int old = rp
(gdb) bt full
#0 0x00000000004a66a6 in Defrag4Reassemble (tv=0xf35330, dc=0x2766e70, tracker=0x33e6e60, p=0xb0acf0) at defrag.c:767
rp = 0xb4eaf0
frag = 0x0
len = 217096
FUNCTION = "Defrag4Reassemble"
payload_len = 200744
fragmentable_offset = 34
pktlen = 34
hlen = 20
PRETTY_FUNCTION = "Defrag4Reassemble"
old = 41315952
#1 0x00000000004a7a13 in Defrag (tv=0xf35330, dc=0x2766e70, p=0xb0acf0) at defrag.c:1042
rp = 0x0
frag_offset = 0
more_frags = 1 '\001'
tracker = 0x33e6e60
lookup = {dc = 0x1, policy = 0 '\000', timeout = {tv_sec = 13555904, tv_usec = 140176448199792}, family = 2 '\002', id = 0, src_addr = {family = 2 '\002', address = {address_un_data32 = {773611274, 0, 0, 0},
address_un_data16 = {24330, 11804, 0, 0, 0, 0, 0, 0}, address_un_data8 = "\n_\034.", '\000' <repeats 11 times>}}, dst_addr = {family = 2 '\002', address = {address_un_data32 = {773611274, 0, 0, 0}, address_un_data16 = {
24330, 11804, 0, 0, 0, 0, 0, 0}, address_un_data8 = "\n_\034.", '\000' <repeats 11 times>}}, seen_last = 240 '\360', lock = {__data = {__lock = 13524992, _count = 0, __owner = 1590550400, __nusers = 32637,
__kind = 4268756, __spins = 0, __list = {_prev = 0xf35430, __next = 0x3fe00040d382}},
__size = "\000`\316\000\000\000\000\000\200\337\315^}\177\000\000\324\"A\000\000\000\000\000\060T\363\000\000\000\000\000\202\323@\000\340?\000", __align = 13524992}, frags = {tqh_first = 0xb0ad8a, tqh_last = 0xb0acf0}}
id = 0
af = 2
#2 0x000000000040e303 in DecodeIPV4 (tv=0xf35330, dtv=0x114dbc0, p=0xb0acf0, pkt=0xb0ad76 "E", len=16372, pq=0xf35430) at decode-ipv4.c:622
rp = 0x0
ret = 0
#3 0x000000000040a92a in DecodeEthernet (tv=0xf35330, dtv=0x114dbc0, p=0xb0acf0, pkt=0xb0ad68 "", len=16386, pq=0xf35430) at decode-ethernet.c:29
ethh = 0xb0ad68
#4 0x000000000040a1af in DecodePcapFile (tv=0xf35330, p=0xb0acf0, data=0x114dbc0, pq=0xf35430) at source-pcap-file.c:189
dtv = 0x114dbc0
#5 0x0000000000477438 in TmThreadsSlot1 (td=0xf35330) at tm-threads.c:325
tv = 0xf35330
s = 0xf35400
p = 0xb0acf0
run = 1 '\001'
r = TM_ECODE_OK
#6 0x00007f7d601bca04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7f7d5ecde910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140176438192400, 8460256964417391110, 140735706840688, 0, 0, 3, -8389533783375771130, -8389609255341422074}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#7 0x00007f7d5fad780d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#8 0x0000000000000000 in ?? ()
No symbol table info available.
Files
Updated by Will Metcalf over 14 years ago
- File fuzz-2009-07-13-16147.pcap-fuzz-2010-01-14-22-03-53-MIOP-5.gz fuzz-2009-07-13-16147.pcap-fuzz-2010-01-14-22-03-53-MIOP-5.gz added
hmmm thats weird lets try this again.
Updated by Victor Julien about 14 years ago
- Status changed from Resolved to Closed