Actions
Bug #6201
closedmulti-tenancy: crash under test mode when tenant signature load fails
Affected Versions:
Effort:
Difficulty:
Label:
Description
When running Suricata under test mode and multi-tenancy configured, a crash often occurs when signature loading fails.
When using a tenant configuration file that lacks a definition for DNP3_SERVER
and the tenant's configuration specifies a ETPro rule file from early 2023, the following error message is printed, the signature is rejected, and test mode "fails":
5/7/2023 -- 13:26:27 - <Error> - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DNP3_SERVER" is not defined in configuration file 5/7/2023 -- 13:26:27 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any <> $DNP3_SERVER <redacted>" 5/7/2023 -- 13:26:45 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
Then, this crash occurs:
Thread 15 "DL#02" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffe89ff640 (LWP 2053)] VariableNameGetIdx (type=VAR_TYPE_FLOW_BIT, name=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", v=0x0) at util-var-name.c:190 190 VariableName *lookup_fn = (VariableName *)HashListTableLookup(v->names, (void *)fn, 0); (gdb) p v $1 = (VarNameStore *) 0x0 (gdb) bt #0 VariableNameGetIdx (type=VAR_TYPE_FLOW_BIT, name=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", v=0x0) at util-var-name.c:190 #1 VarNameStoreSetupAdd (name=name@entry=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", type=type@entry=VAR_TYPE_FLOW_BIT) at util-var-name.c:327 #2 0x00005555556ef29d in DetectFlowbitParse (de_ctx=0x7fffe7c04000, rawstr=<optimized out>, cdout=cdout@entry=0x7fffe89e8cd0) at detect-flowbits.c:313 #3 0x00005555556ef42f in DetectFlowbitSetup (de_ctx=<optimized out>, s=0x7fffaa437a40, rawstr=<optimized out>) at detect-flowbits.c:335 #4 0x0000555555706798 in SigParseOptions (output_size=275, output=0x7fffe89e8d00 "", optstr=0x7fffe89e8e21 "flowbits", s=0x7fffaa437a40, de_ctx=0x7fffe7c04000) at detect-parse.c:815 #5 SigParse (parser=0x7fffe89e8fb0, addrs_direction=<optimized out>, sigstr=0x7fffe89faff0 "\260\260\237\350\377\177", s=<optimized out>, de_ctx=<optimized out>) at detect-parse.c:1251 #6 SigInitHelper (de_ctx=de_ctx@entry=0x7fffe7c04000, sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"..., dir=dir@entry=0 '\000') at detect-parse.c:1910 #7 0x00005555557079e2 in SigInit (de_ctx=de_ctx@entry=0x7fffe7c04000, sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"...) at detect-parse.c:2079 #8 0x0000555555707bb7 in DetectEngineAppendSig (de_ctx=de_ctx@entry=0x7fffe7c04000, sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"...) at detect-parse.c:2377 #9 0x00005555556dbeab in DetectLoadSigFile (de_ctx=de_ctx@entry=0x7fffe7c04000, sig_file=sig_file@entry=0x7fffe7c034f0 "/tmp/etc/suricata/rules/tenant-2.rules", goodsigs=goodsigs@entry=0x7fffe89fd1c8, badsigs=0x7fffe89fb0b0, badsigs@entry=0x7fffe89fd1cc) at detect-engine-loader.c:169 #10 0x00005555556dc208 in ProcessSigFiles (de_ctx=de_ctx@entry=0x7fffe7c04000, pattern=pattern@entry=0x7fffe7c034c0 "/tmp/etc/suricata/rules/tenant-2.rules", st=st@entry=0x7fffe7c05410, good_sigs=good_sigs@entry=0x7fffe89fd1c8, bad_sigs=bad_sigs@entry=0x7fffe89fd1cc) at detect-engine-loader.c:252 #11 0x00005555556dc9c6 in SigLoadSignatures (de_ctx=de_ctx@entry=0x7fffe7c04000, sig_file=sig_file@entry=0x0, sig_file_exclusive=sig_file_exclusive@entry=0) at detect-engine-loader.c:312 #12 0x00005555556c7bd6 in DetectEngineMultiTenantLoadTenant (loader_id=1, filename=<optimized out>, tenant_id=2) at detect-engine.c:3348 #13 DetectLoaderFuncLoadTenant (vctx=<optimized out>, loader_id=1) at detect-engine.c:3429 #14 0x00005555556dc3fb in DetectLoader (thread_data=<optimized out>, th_v=<optimized out>) at detect-engine-loader.c:593 #15 DetectLoader (th_v=0x7ffff1a768c0, thread_data=0x7fffe7c00000) at detect-engine-loader.c:572 #16 0x0000555555782a43 in TmThreadsManagement (td=0x7ffff1a768c0) at tm-threads.c:562 #17 0x00007ffff64abf3e in start_thread (arg=0x7fffe89ff640) at pthread_create.c:463 #18 0x00007ffff69f114f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Updated by Victor Julien over 1 year ago
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 7.0.1
- Label Needs backport to 6.0 added
Updated by Victor Julien over 1 year ago
- Related to Bug #6044: detect: multi-tenancy leaks memory if more than 1 tenant registered added
Updated by Victor Julien over 1 year ago
- Subject changed from Multi-tenancy: crash under test mode when tenant signature load fails to multi-tenancy: crash under test mode when tenant signature load fails
- Status changed from In Progress to In Review
Updated by Victor Julien over 1 year ago
- Status changed from In Review to Resolved
Updated by Victor Julien about 1 year ago
- Status changed from Resolved to Closed
Actions