Bug #5978: stream/reassembly: memcap exception policy incorrectly applied - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5978

closed

stream/reassembly: memcap exception policy incorrectly applied

Added by Jamie Lavigne about 1 year ago. Updated 10 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

7.0.0-rc2

Affected Versions:

Effort:

Difficulty:

Label:

Description

We are seeing two related behaviors that are occurring even when we are not exceeding the stream reassembly memcap limit:

- The stream reassembly memcap exception policy can be applied despite not reaching the memcap
- We see the stats counter called segment_memcap_drop incrementing despite not reaching the memcap

We need Suricata to independently verify, but from my reading it appears that some non memory-related error handling within the stream reassembly can also be incorrectly counted as out-of-memory errors. The exception policy contains a comment [1] noting that all failures here are caused by a memcap hit, but I have found what look like two possible cases ([2] and [3]) where other unrelated error handling deeper down can cause this to happen. There may be other cases as well.

[1] https://github.com/OISF/suricata/blob/master-6.0.x/src/stream-tcp-reassemble.c#L1903-L1905
[2] https://github.com/OISF/suricata/blob/master-6.0.x/src/stream-tcp-list.c#L173
[3] https://github.com/OISF/suricata/blob/master-6.0.x/src/util-streaming-buffer.c#L703

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Updated by Victor Julien about 1 year ago

Subject changed from The stream reassembly memcap exception policy appears to be incorrectly applied to stream/reassembly: memcap exception policy incorrectly applied
Target version changed from TBD to 7.0.0-rc2