Bug #65
closedProcessing the attached pcap causes abort in Defrag4Reassemble.
Description
ulimit -c unlimited; src/suricata -c suricata.yaml -r ./defcon_eth0.dump6-fuzz-2010-01-21-19-52-36-4 -l ./
[14295] 21/1/2010 -- 21:53:33 - (alert-fastlog.c:230) <Info> (AlertFastLogInitCtx) -- Fast log output registered, filename: fast.log
[14295] 21/1/2010 -- 21:53:33 - (tm-threads.c:1141) <Info> (TmThreadWaitOnThreadInit) -- all 6 packet processing threads, 3 management threads initialized, engine started.
TmqDebugList: id 0, name 'pickup-queue', len 50
TmqDebugList: id 1, name 'decode-queue1', len 0
TmqDebugList: id 2, name 'stream-queue1', len 0
TmqDebugList: id 3, name 'alert-queue1', len 0
TmqDebugList: id 0, name 'pickup-queue', len 49
TmqDebugList: id 1, name 'decode-queue1', len 0
TmqDebugList: id 2, name 'stream-queue1', len 0
TmqDebugList: id 3, name 'alert-queue1', len 0
suricata: defrag.c:766: Defrag4Reassemble: Assertion `!(fragmentable_offset + frag->offset + frag->data_len > (int)sizeof(rp->pkt))' failed.
coz@coz-desktop:~/downloads/suricatafuzz2$ gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/coz/downloads/suricatafuzz2/src/suricata...done.
[New Thread 14299]
[New Thread 14295]
[New Thread 14296]
[New Thread 14301]
[New Thread 14303]
[New Thread 14304]
[New Thread 14298]
[New Thread 14300]
[New Thread 14302]
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `src/suricata c suricata.yaml -r ./defcon_eth0.dump6-fuzz-2010-01-21-19-52-36-4'.>offset + frag->data_len > (int)sizeof(rp->pkt))", file=<value optimized out>, line=766, function=0x4bb050 "Defrag4Reassemble")
Program terminated with signal 6, Aborted.
#0 0x00007f4c1a9834b5 in *GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt full
#0 0x00007f4c1a9834b5 in *_GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
pid = <value optimized out>
selftid = <value optimized out>
#1 0x00007f4c1a986f50 in *_GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0x4baea8, sa_sigaction = 0x4baea8}, sa_mask = {__val = {139964841482472, 139964826474640, 766, 139964826474880, 139964840630726, 206158430232, 139964826474896, 139964826474672,
139964840541608, 206158430256, 139964826474920, 47734528, 24688, 7577341824255026540, 8026956504180028526, 140736117499385}}, sa_flags = 447232403, sa_restorer = 0x4babe0}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f4c1a97c481 in *_GI_assert_fail (assertion=0x4baea8 "!(fragmentable_offset + frag
at assert.c:81
buf = 0x2d85f00 "suricata: defrag.c:766: Defrag4Reassemble: Assertion `!(fragmentable_offset + frag->offset + frag->data_len > (int)sizeof(rp->pkt))' failed.\n"
#3 0x00000000004a7d39 in Defrag4Reassemble (tv=0x299f4d0, dc=0x7f4c114e0820, tracker=0x7f4c1215fe10, p=0x25fc8b0) at defrag.c:765
rp = 0x2d6f330
frag = 0x7f4c12450ea0
len = 75629
FUNCTION = "Defrag4Reassemble"
fragmentable_offset = 34
fragmentable_len = 65479
hlen = 20
ip_hdr_offset = 14
PRETTY_FUNCTION = "Defrag4Reassemble"
old = 290326560
#4 0x00000000004a9212 in Defrag (tv=0x299f4d0, dc=0x7f4c114e0820, p=0x25fc8b0) at defrag.c:1051
rp = 0x0
frag_offset = 16
more_frags = 1 '\001'
tracker = 0x7f4c1215fe10
lookup = {dc = 0x5, policy = 192 '\300', timeout = {tv_sec = 41235776, tv_usec = 139964836379312}, family = 2 '\002', id = 0, src_addr = {family = 2 '\002', address = {address_un_data32 = {393968507, 0, 0, 0},
address_un_data16 = {31611, 6011, 0, 0, 0, 0, 0, 0}, address_un_data8 = "{{{\027", '\000' <repeats 11 times>}}, dst_addr = {family = 2 '\002', address = {address_un_data32 = {4246667018, 0, 0, 0}, address_un_data16 = {
65290, 64798, 0, 0, 0, 0, 0, 0}, address_un_data8 = "\n\377\036\375", '\000' <repeats 11 times>}}, seen_last = 240 '\360', lock = {_data = {__lock = 41222336, _count = 0, __owner = 432234368, __nusers = 32588,
__kind = 4260050, __spins = 0, __list = {_prev = 0x299f5d0, _next = 0x470040d3da}},
__size = "\300\000u\002\000\000\000\000\200\303\031L\177\000\000\322\000A\000\000\000\000\000\320\365\231\002\000\000\000\000\332\323@\000G\000\000", __align = 41222336}, frags = {tqh_first = 0x25fc94a,
tqh_last = 0x25fc8b0}}
id = 0
af = 2
#5 0x000000000040e35a in DecodeIPV4 (tv=0x299f4d0, dtv=0x2bb76d0, p=0x25fc8b0, pkt=0x25fc936 "E", len=91, pq=0x299f5d0) at decode-ipv4.c:622
rp = 0x0
ret = 0
#6 0x000000000040a982 in DecodeEthernet (tv=0x299f4d0, dtv=0x2bb76d0, p=0x25fc8b0, pkt=0x25fc928 "", len=105, pq=0x299f5d0) at decode-ethernet.c:29
ethh = 0x25fc928
#7 0x000000000040a205 in DecodePcapFile (tv=0x299f4d0, p=0x25fc8b0, data=0x2bb76d0, pq=0x299f5d0) at source-pcap-file.c:189
dtv = 0x2bb76d0
#8 0x000000000047881c in TmThreadsSlot1 (td=0x299f4d0) at tm-threads.c:325
tv = 0x299f4d0
s = 0x299f5a0
p = 0x25fc8b0
run = 1 '\001'
r = TM_ECODE_OK
#9 0x00007f4c1b114a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7f4c19c36910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139964826478864, 2847090625133785514, 140736117489632, 0, 0, 3, 2802692178859413078, -2802694771651006038}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#10 0x00007f4c1aa2f80d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
---Type <return> to continue, or q <return> to quit--
#11 0x0000000000000000 in ?? ()
No symbol table info available.
Files
Updated by Jason Ish about 14 years ago
- File 0001-Fix-issue-65.patch 0001-Fix-issue-65.patch added
- Status changed from New to Resolved
The BUG_ON on attempt to write past the end of the packet buffer triggered. This is replaced a log message and dropping of the frame now. Also fixes the check for end of packet which didn't account for the IPv4 header.
Updated by Will Metcalf about 14 years ago
- Status changed from Resolved to Closed