Bug #6305
closeddrop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP)
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62147&q=label%3AProj-suricata
Reproducer is with rule
drop http any any -> any any (msg:"Malicious_mse flowbit"; sid:1; rev:1;)
./src/suricata -S drop.rules -r drop3.pcap -c suricata.yaml -k none --set stream.midstream=true
Assertion was added by commit 95bf7248e85
Files
Updated by Philippe Antoine 7 months ago
Timeline is
- packet 1 is processed (of the TCP flow) : nothing happens (waiting for ACK...)
- packet 2 is processed
- parsing packet 1
- generating app-layer-protocol change
- In FlowWorkerStreamTCPUpdate FlowChangeProto is true and StreamTcpDetectLogFlush is called, this creates pseudo packets to log the HTTP1 part of the packet, and then going on with HTTP2
- while dequeuing and processing Detect on these pseudo packets, we are setting flow action drop ie f->flags |= FLOW_ACTION_DROP;
- we then run Detect on the second packet, but we did not have the chance to call FlowHandlePacketUpdate which checks the flow flags to set the packet action
Updated by Philippe Antoine 7 months ago
- Status changed from New to In Review
Updated by Victor Julien 7 months ago
- Assignee changed from Victor Julien to Philippe Antoine
Updated by Victor Julien 7 months ago
- Target version changed from 7.0.2 to 7.0.3
Updated by Victor Julien 6 months ago
- Target version changed from 7.0.3 to 8.0.0-beta1
- Label Needs backport to 6.0, Needs backport to 7.0 added
Updated by Philippe Antoine about 2 months ago
Updated by Philippe Antoine about 2 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine about 2 months ago
- Status changed from Resolved to Closed