Bug #60
closedProcessing the attached pcap causes segv in FlowDecrUsecnt.
Description
ulimit c unlimited; src/suricata -c suricata.yaml -r ./defcon_eth0.dump4-fuzz-2010-01-15-02-29-40-2 -l ./ 08:31:50 - (suricata.c:702) <Info> (main) -- signal received
....
- (ReceivePcapFile) Packets 6238, bytes 9221055.
[20143] 15/1/2010 -
[20143] 15/1/2010 -- 08:31:50 - (suricata.c:705) <Info> (main) -- SIGINT or EngineStop received
Segmentation fault (core dumped)
gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/coz/downloads/suricatafuzz1/src/suricata...done.
[New Thread 20150]
[New Thread 20145]
[New Thread 20148]
[New Thread 20143]
[New Thread 20146]
[New Thread 20151]
[New Thread 20147]
[New Thread 20152]
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `src/suricata c suricata.yaml -r ./defcon_eth0.dump4-fuzz-2010-01-15-02-29-40-2'.>tmqh_out(tv, p);
Program terminated with signal 11, Segmentation fault.
#0 pthread_mutex_lock (mutex=0xab2a) at pthread_mutex_lock.c:50
50 pthread_mutex_lock.c: No such file or directory.
in pthread_mutex_lock.c
(gdb) bt full
#0 _pthread_mutex_lock (mutex=0xab2a) at pthread_mutex_lock.c:50
__PRETTY_FUNCTION = "_pthread_mutex_lock"
type = <value optimized out>
#1 0x0000000000412dc3 in FlowDecrUsecnt (tv=0x1d66a90, p=0x19abef0) at flow.c:317
No locals.
#2 0x00000000004790fb in TmqhOutputPacketpool (t=0x1d66a90, p=0x19abef0) at tmqh-packetpool.c:110
q = 0x6fa320
proot = 0 '\000'
#3 0x00000000004778a5 in TmThreadsSlotVar (td=0x1d66a90) at tm-threads.c:456
tv = 0x1d66a90
s = 0x208cb20
p = 0x19abef0
run = 1 '\001'
r = TM_ECODE_OK
slot = 0x0
#4 0x00007fb12299fa04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
_res = <value optimized out>
pd = 0x7fb11b7fe910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140398647306512, -1843535105462021956, 140735041854736, 0, 0, 3, 1803766868689375420, 1803752833517703356}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#5 0x00007fb1222ba80d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#6 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb) frame 3
#3 0x00000000004778a5 in TmThreadsSlotVar (td=0x1d66a90) at tm-threads.c:456
456 tv
(gdb) print *p
$1 = {src = {family = 0 '\000', address = {address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\000' <repeats 15 times>}}, dst = {family = 0 '\000', address = {address_un_data32 = {0, 0,
0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\000' <repeats 15 times>}}, {sp = 0, type = 0 '\000'}, {dp = 0, code = 0 '\000'}, proto = 0 '\000', recursion_level = 1 '\001', ts = {tv_sec = 995128208,
tv_usec = 740000}, rtv_cnt = 0 '\000', tpr_cnt = 0 '\000', mutex_rtv_cnt = {_data = {__lock = 0, _count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = {_prev = 0x0, _next = 0x0}},
__size = '\000' <repeats 39 times>, __align = 0}, tunnel_proto = 1 '\001', tunnel_pkt = 1 '\001', tunnel_verdicted = 0 '\000', pcap_v = {<No data fields>}, datalink = 1,
pkt = "\000\001K!\220\a\000 \340eN\371\b\000E\000\306w\000\000\000\000@\001\221\367{{{\027\n\377\036\375\b\000\377\367\000\000\000\000\004\363\377\277V\023\000@<\b\000@\240+\001@\240+\001@\000\000\000\000\000\000\000\000\003\000\000\000\360\065\001@\003\000\000\000L\362\377\277\234\006\000@x0\001@)W\356\001\b\000\367\367\000\000\000\000\004\363\377\277V\023\000@<\b\000@\240+\001@\240+\001@\000\000\000\000\000\000\000\000\003\000\000\000\360\065\001@\003\000\000\000\\\362\377\277\234\006\000@x0\001@9W\356\001\b\000\377\367\000\000\000\000\004\363\377\277V\023\000@<\b\000@\240+\001@\240+\001@\000\000\000\000\000\000+\000\003\000\000\000\360\065\001@\003\000\000\000\\\362\377\277\234\006\000@x0\001@9W\356\001\004\363\377\277\271\016\000@h\363\377\277p\233\000@\000\000\000\000\000\000\000\000\064\363\377\277\346\216\000@\364\201\004\b\360"..., pktlen = 50821, flow = 0xaaaa, flowflags = 0 '\000', flags = 0 '\000', pktvar = 0x0,
ethh = 0x0, ppph = 0x0, pppoesh = 0x0, pppoedh = 0x0, greh = 0x0, ip4h = 0x0, ip4vars = {ip_opt_len = 0 '\000', ip_opts = {{type = 8 '\b', len = 0 '\000', data = 0x19abf8c "\377", <incomplete sequence \367>}, {type = 0 '\000',
len = 0 '\000', data = 0x0} <repeats 39 times>}, ip_opt_cnt = 0 '\000', o_rr = 0x0, o_qs = 0x0, o_ts = 0x0, o_sec = 0x0, o_lsrr = 0x0, o_cipso = 0x0, o_sid = 0x0, o_ssrr = 0x0, o_rtralt = 0x0}, ip4c = {flags = 0,
ver = 0 '\000', hl = 20 '\024', ip_tos = 0 '\000', ip_len = 60, ip_id = 18109, ip_off = 0, _ip_off = 16384, rf = 0 '\000', df = 0 '\000', mf = 0 '\000', ip_ttl = 0 '\000', ip_proto = 6 '\006', ip_csum = 0, comp_csum = -1,
ip_src_u32 = 0, ip_dst_u32 = 0}, ip6h = 0x0, ip6vars = {ip_opts_len = 0 '\000', l4proto = 0 '\000'}, ip6c = {flags = 0, ver = 0 '\000', cl = 0 '\000', flow = 0 '\000', nh = 0 '\000', plen = 0, hlim = 0 '\000'}, ip6eh = {
ip6fh = 0x0, fh_offset = 0, ip6rh = 0x0, ip6ah = 0x0, ip6eh = 0x0, ip6dh1 = 0x0, ip6dh2 = 0x0, ip6hh = 0x0, ip6hh_opt_hao = {ip6hao_type = 0 '\000', ip6hao_len = 0 '\000', ip6hao_hoa = {_in6_u = {
_u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6hh_opt_ra = {ip6ra_type = 0 '\000', ip6ra_len = 0 '\000', ip6ra_value = 0}, ip6hh_opt_jumbo = {
ip6j_type = 0 '\000', ip6j_len = 0 '\000', ip6j_payload_len = 0}, ip6dh1_opt_hao = {ip6hao_type = 0 '\000', ip6hao_len = 0 '\000', ip6hao_hoa = {_in6_u = {__u6_addr8 = '\000' <repeats 15 times>, _u6_addr16 = {0, 0, 0, 0, 0, 0,
0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh1_opt_ra = {ip6ra_type = 0 '\000', ip6ra_len = 0 '\000', ip6ra_value = 0}, ip6dh1_opt_jumbo = {ip6j_type = 0 '\000', ip6j_len = 0 '\000', ip6j_payload_len = 0}, ip6dh2_opt_hao = {
ip6hao_type = 0 '\000', ip6hao_len = 0 '\000', ip6hao_hoa = {_in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh2_opt_ra = {ip6ra_type = 0 '\000',
ip6ra_len = 0 '\000', ip6ra_value = 0}, ip6dh2_opt_jumbo = {ip6j_type = 0 '\000', ip6j_len = 0 '\000', ip6j_payload_len = 0}, ip6_exthdrs = {{type = 0 '\000', next = 0 '\000', len = 0 '\000', data = 0x0} <repeats 40 times>},
ip6_exthdrs_cnt = 0 '\000'}, icmpv4h = 0x19abf8a, icmpv4c = {comp_csum = -1}, icmpv4vars = {type = 0 '\000', code = 0 '\000', csum = 0, id = 0, seq = 0, mtu = 0, error_ptr = 0, emb_ipv4h = 0x0, emb_tcph = 0x0, emb_udph = 0x0,
emb_icmpv4h = 0x0, emb_ip4_src = {s_addr = 0}, emb_ip4_dst = {s_addr = 0}, emb_ip4_hlen = 0 '\000', emb_sport = 0, emb_dport = 0}, icmpv6h = 0x0, icmpv6c = {comp_csum = -1}, icmpv6vars = {type = 0 '\000', code = 0 '\000', csum = 0,
id = 0, seq = 0, mtu = 0, error_ptr = 0, emb_ipv6h = 0x0, emb_tcph = 0x0, emb_udph = 0x0, emb_icmpv6h = 0x0, emb_ip6_src = {0, 0, 0, 0}, emb_ip6_dst = {0, 0, 0, 0}, emb_ip6_proto_next = 0 '\000', emb_sport = 0, emb_dport = 0},
tcph = 0x0, tcpvars = {hlen = 40 '(', tcp_opt_len = 20 '\024', tcp_opts = {{type = 2 '\002', len = 4 '\004', data = 0x19abfa0 "\001@\240+\001@"}, {type = 4 '\004', len = 2 '\002', data = 0x19abfa4 "\001@"}, {type = 8 '\b',
len = 10 '\n', data = 0x19abfa6 ""}, {type = 3 '\003', len = 3 '\003', data = 0x19abfb1 ""}, {type = 0 '\000', len = 0 '\000', data = 0x0} <repeats 16 times>}, tcp_opt_cnt = 0 '\000', sackok = 0x0, ws = 0x0, ts = 0x0,
mss = 0x0}, tcpc = {comp_csum = -1, ts1 = 0, ts2 = 0}, udph = 0x0, udpvars = {hlen = 0 '\000'}, udpc = {comp_csum = -1}, payload = 0x19abfb2 "\360\065\001@\003", payload_len = 0,
events = "P\320\000\000 ", '\000' <repeats 8185 times>, http_uri = {raw = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, raw_size = {0, 0, 0, 0, 0, 0, 0, 0}, norm = {'\000' <repeats 1023 times>, '\000' <repeats 1023 times>,
'\000' <repeats 1023 times>, '\000' <repeats 1023 times>, '\000' <repeats 1023 times>, '\000' <repeats 1023 times>, '\000' <repeats 1023 times>, '\000' <repeats 1023 times>}, norm_size = {0, 0, 0, 0, 0, 0, 0, 0}, cnt = 0 '\000'},
alerts = {cnt = 0, alerts = {{gid = 0, sid = 0, rev = 0 '\000', class = 0 '\000', prio = 0 '\000', msg = 0x0, class_msg = 0x0} <repeats 256 times>}}, action = 0, next = 0x0, prev = 0x0, root = 0x17764f0}
Files