Bug #6305: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6305

closed

PA PA

drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP)

Bug #6305: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP)

Added by Philippe Antoine over 2 years ago. Updated about 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62147&q=label%3AProj-suricata

Reproducer is with rule

drop http any any -> any any (msg:"Malicious_mse flowbit"; sid:1; rev:1;)

./src/suricata -S drop.rules -r drop3.pcap -c suricata.yaml -k none --set stream.midstream=true

Assertion was added by commit 95bf7248e85

Files

drop3.pcap (1.19 KB) drop3.pcap

Philippe Antoine, 09/11/2023 08:15 AM

Subtasks 2 (0 open — 2 closed)

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#1

This is a HTTP1->HTTP2 upgrade

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
#2

Timeline is
- packet 1 is processed (of the TCP flow) : nothing happens (waiting for ACK...)
- packet 2 is processed
- parsing packet 1
- generating app-layer-protocol change
- In FlowWorkerStreamTCPUpdate FlowChangeProto is true and StreamTcpDetectLogFlush is called, this creates pseudo packets to log the HTTP1 part of the packet, and then going on with HTTP2
- while dequeuing and processing Detect on these pseudo packets, we are setting flow action drop ie f->flags |= FLOW_ACTION_DROP;
- we then run Detect on the second packet, but we did not have the chance to call FlowHandlePacketUpdate which checks the flow flags to set the packet action