Bug #6170
closedstreaming-buffer: exceeds limit when downloading large file with file-store enabled and inspecing file_data content
Description
This bug is largely a copy of #6120. While 6120 fixed the non file_data case, the issue still occurs with file_data.
When downloading a large file over http and using a configuration tuned for larger file extraction, the StreamingBuffer will exceed its maximum size of 1GB when using content with file_data.
Warning: streaming-buffer: StreamingBuffer::GrowRegionToSize() tried to alloc 1073968568 bytes, exceeds limit of 1073741824 [GrowRegionToSize:util-streaming-buffer.c:710]
My test case was a 9GB Linux ISO, but I have created a truncated version of the pcap that stops just after 1GB of data: https://codemonkey.net/tmp/iso-truncated.pcap.xz
To reproduce, use a rule like the following:
alert http any any -> any any (msg:"ISO"; flow:established,to_client; file_data; content:"Operating system load error"; filestore; classtype:policy-violation; sid:9000000; rev:1;)
Then in suricata.yaml:
- Enable file-store.
- Comment out stream.reassembly.depth or set to 0 or some number over 1gb (like 1.1gb)
Then run Suricata (unfortunately -k none is required):
./src/suricata -k none -l ./log -c ./suricata.yaml -r ~/iso-truncated.pcap -S ./test.rules
Output:
Notice: suricata: This is Suricata version 7.0.0-rc3-dev (643e674cb2 2023-06-16) running in USER mode [LogVersion:suricata.c:1157] Notice: threads: Threads created -> W: 1 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1888] Warning: streaming-buffer: StreamingBuffer::GrowRegionToSize() tried to alloc 1073968568 bytes, exceeds limit of 1073741824 [GrowRegionToSize:util-streaming-buffer.c:710] Error: pcap: error code -1 truncated dump file; tried to read 26130 captured bytes, only got 5024 for /home/jason/iso-truncated.pcap [PcapFileDispatch:source-pcap-file-helper.c:156] Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2831] Notice: pcap: read 0 files, 389566 packets, 1140641880 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388]
Additionally, now the FilePruneFile is being called, #5868 is now occurring in git master with file store saving 0 byte files.
Updated by Victor Julien 10 months ago
- Status changed from New to Resolved
- Target version changed from 7.0.1 to 7.0.0-rc2
I believe this is actually fixed by the same commit as #6120. I've create a test case based on the rule above and it passes in master. I've bisected it to be fixed by https://github.com/OISF/suricata/pull/9009/commits/c90f67ac55bd2bae6efabb2dcde7677336fa1773, which is the same fix as for #6120.
If this is incorrect, please reopen the ticket and provide a test case to reproduce the issue.
Updated by Victor Julien 10 months ago
- Related to Bug #6148: streaming-buffer: exceeds limit when downloading large file with file-store enabled and inspecting file_data content (6.0.x backport) added
Updated by Victor Julien 10 months ago
- Status changed from Resolved to Closed
- Affected Versions 7.0.0-beta1, 7.0.0-rc1 added
- Affected Versions deleted (
7.0.0-rc2)