Project

General

Profile

Actions

Security #6796

closed

output/filestore: slowdown because of running OutputTxLog on useless packets

Added by Philippe Antoine 9 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
MODERATE
Disclosure Date:
05/21/2024

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66918

Reproducer is with attached pcap and force-filestore: yes or similar

This pcap can be seen as a simple HTTP request, and then we get from the server many one-byte packets that are not yet acknowledged by the client.
This is a bit similar to #6299 - do not run detection if nothing has been updated, but here it is tx logging and not detection

FLOW_TS_APP_UPDATED gets set with UPDATE_DIR_OPPOSING when the server acknowledges the request
And it does not get reset until PKT_IS_TOSERVER(p)

OutputTxLog. now only checks if flow flags have app update, but not if it is a fresh one


Files

filestore.pcap (5.74 MB) filestore.pcap Philippe Antoine, 02/22/2024 08:38 AM

Subtasks 1 (0 open1 closed)

Security #6798: output/filestore: timeout because of running OutputTxLog on useless packets (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by OISF Ticketbot 9 months ago

  • Subtask #6797 added
Actions #2

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 6.0)
Actions #3

Updated by OISF Ticketbot 9 months ago

  • Subtask #6798 added
Actions #4

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 7.0)
Actions #5

Updated by Philippe Antoine 9 months ago

  • Status changed from New to In Review
  • Label Needs backport to 6.0, Needs backport to 7.0 added

Gitlab MR

Actions #6

Updated by Philippe Antoine 9 months ago

  • Label deleted (Needs backport to 6.0, Needs backport to 7.0)
Actions #7

Updated by Victor Julien 9 months ago

Can we get into this exact same situation if instead of useless packets we get tiny packets that xfer a body for example? So each packet does in fact update the state?

Actions #8

Updated by Philippe Antoine 9 months ago

Victor Julien wrote in #note-7:

Can we get into this exact same situation if instead of useless packets we get tiny packets that xfer a body for example? So each packet does in fact update the state?

I wrote "and then we get from the server many one-byte packets that are not yet acknowledged by the client."

So, these are tiny packets that transfer a body.
They are useless just until the client acks them which happens at the end of the pcap.

Do you mean having the same pcap with stream.inline mode ? Or that each tiny packet with body gets acked by the client ?
Or what do I not understand in this question ?

Actions #9

Updated by Victor Julien 9 months ago

What if they are acknowledged? Or indeed if we are in inline mode and have to inspect each unack'd packet? I think my concern is that we should not timeout if we do this type of inspection/logging per packet, for any packet size or type.

Actions #10

Updated by Victor Julien 9 months ago

  • Subject changed from output/filestore: timeout because of running OutputTxLog on useless packets to output/filestore: slowdown because of running OutputTxLog on useless packets
Actions #11

Updated by Victor Julien 9 months ago

Unneeded snprintf call in filestore should get optimized.

Actions #12

Updated by Philippe Antoine 9 months ago

Victor Julien wrote in #note-9:

What if they are acknowledged? Or indeed if we are in inline mode and have to inspect each unack'd packet? I think my concern is that we should not timeout if we do this type of inspection/logging per packet, for any packet size or type.

You look right : with my patch, I go from 2 seconds to 30 seconds by setting stream.inline=true
61% is spent in OutputTxLogFiles. and 33% in snprintf in OutputFilestoreLogger

Actions #14

Updated by Philippe Antoine 9 months ago

  • Status changed from In Review to Resolved
Actions #15

Updated by Philippe Antoine 9 months ago

  • Status changed from Resolved to Closed
Actions #16

Updated by Victor Julien 8 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF