Actions
Security #7029
closedhttp/range: segv when http.memcap is reached
Git IDs:
Severity:
HIGH
Disclosure Date:
05/16/2024
Description
Test with app-layer.protocols.http.memcap
of 1MiB.
Starting program: /home/victor/dev/suricata/src/suricata -c suricata.yaml -l tmp/ --disable-detection -r /pcap81/alexatop25k.pcap -v --runmode=single [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Notice: suricata: This is Suricata version 8.0.0-dev (806052d76 2024-05-14) running in USER mode [LogVersion:suricata.c:1164] Info: cpu: CPUs/cores online: 56 [UtilCpuPrintSummary:util-cpu.c:149] Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2706] Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:201] Info: app-layer-htp-mem: HTTP memcap: 1048576 [HTPParseMemcap:app-layer-htp-mem.c:61] Info: app-layer-ftp: FTP memcap: 1048576 [FTPParseMemcap:app-layer-ftp.c:129] Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:617] Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:617] Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:617] [New Thread 0x7fffe331e640 (LWP 283534)] [New Thread 0x7fffe2b1d640 (LWP 283535)] [New Thread 0x7fffe231c640 (LWP 283536)] [New Thread 0x7fffe1b1b640 (LWP 283537)] [New Thread 0x7fffe131a640 (LWP 283538)] Warning: suricata: "security.limit-noproc" (setrlimit()) not set when using address sanitizer [SuricataPostInit:suricata.c:3032] Info: pcap: Starting file run for /pcap81/alexatop25k.pcap [ReceivePcapFileLoop:source-pcap-file.c:180] Notice: threads: Threads created -> W: 1 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1899] Info: checksum: Less than 1/10th of packets have an invalid checksum, assuming checksum offloading is NOT used (2/1000) [ChecksumAutoModeCheck:util-checksum.c:84] Thread 2 "W#01" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffe331e640 (LWP 283534)] 0x0000000000685596 in HttpRangeAppendData (sbcfg=0x1485100 <htp_sbcfg>, c=0x0, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:403 403 if (c->toskip >= len) { (gdb) bt #0 0x0000000000685596 in HttpRangeAppendData (sbcfg=0x1485100 <htp_sbcfg>, c=0x0, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:403 #1 0x0000000000685516 in HttpRangeOpenFile (c=0x60d000060d28, start=49152, end=769328, total=769329, sbcfg=0x1485100 <htp_sbcfg>, name=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", name_len=24, flags=598, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:354 #2 0x0000000000684a9f in HttpRangeContainerOpenFile (key=0x604000621090 "image4.vod.pornhd.com/225/VBWdPROS6P/clip.mp4", keylen=45, f=0x6120003ce8c0, crparsed=0x7fffe33179a0, sbcfg=0x1485100 <htp_sbcfg>, name=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", name_len=24, flags=598, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", data_len=5455) at app-layer-htp-range.c:372 #3 0x000000000067ac44 in HTPFileOpenWithRange (s=0x60b000255c10, txud=0x6110000c2140, filename=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", filename_len=24, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", data_len=5455, tx=0x614000329e40, rawvalue=0x6060005d43a0, htud=0x6110000c2140) at app-layer-htp-file.c:197 #4 0x0000000000677cd7 in HtpResponseBodyHandle (hstate=0x60b000255c10, htud=0x6110000c2140, tx=0x614000329e40, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", data_len=5455) at app-layer-htp.c:1825 #5 0x0000000000670110 in HTPCallbackResponseBodyData (d=0x7fffe3318220) at app-layer-htp.c:2049 #6 0x00000000010c87db in htp_hook_run_all (hook=0x602000099130, user_data=0x7fffe3318220, user_data@entry=0x7fffe3318280) at htp_hooks.c:127 #7 0x00000000010ef93f in htp_res_run_hook_body_data (connp=<optimized out>, d=d@entry=0x7fffe3318220) at htp_util.c:2358 #8 0x00000000010e0a90 in htp_tx_res_process_body_data_ex (tx=0x614000329e40, data=<optimized out>, len=<optimized out>) at htp_transaction.c:1005 #9 0x00000000010d8cd7 in htp_connp_RES_BODY_IDENTITY_CL_KNOWN (connp=0x614000370240) at htp_response.c:490 #10 0x00000000010dbb83 in htp_connp_res_data (connp=0x614000370240, timestamp=<optimized out>, data=<optimized out>, len=<optimized out>) at htp_response.c:1344 #11 0x000000000066c95c in HTPHandleResponseData (f=0x6120003ce8c0, htp_state=0x60b000255c10, pstate=0x6060000396e0, stream_slice=..., local_data=0x0) at app-layer-htp.c:973 #12 0x0000000000690723 in AppLayerParserParse (tv=0x6120003f2440, alp_tctx=0x61900013c980, f=0x6120003ce8c0, alproto=1, flags=8 '\b', input=0x626000468100 "HTTP/1.1 206 Partial Content\r\nServer: nginx/1.6.2\r\nDate: Wed, 23 Sep 2015 00:08:24 GMT\r\nContent-Type: video/mp4\r\nContent-Length: 720177\r\nLast-Modified: Tue, 15 Sep 2015 18:22:57 GMT\r\nConnection: keep-"..., input_len=5840) at app-layer-parser.c:1382 #13 0x0000000000638820 in AppLayerHandleTCPData (tv=0x6120003f2440, ra_ctx=0x604000147910, p=0x61d0002ee080, f=0x6120003ce8c0, ssn=0x61200061fcc0, stream=0x7fffe3319840, data=0x626000468100 "HTTP/1.1 206 Partial Content\r\nServer: nginx/1.6.2\r\nDate: Wed, 23 Sep 2015 00:08:24 GMT\r\nContent-Type: video/mp4\r\nContent-Length: 720177\r\nLast-Modified: Tue, 15 Sep 2015 18:22:57 GMT\r\nConnection: keep-"..., data_len=5840, flags=8 '\b', dir=UPDATE_DIR_OPPOSING) at app-layer.c:839 #14 0x0000000000a962c8 in ReassembleUpdateAppLayer (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x7fffe3319840, p=0x61d0002ee080, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1324 #15 0x0000000000a941f7 in StreamTcpReassembleAppLayer (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x61200061fcd0, p=0x61d0002ee080, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1387 #16 0x0000000000a9b4ab in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x61200061fcd0, p=0x61d0002ee080) at stream-tcp-reassemble.c:1946 #17 0x0000000000a9aebd in StreamTcpReassembleHandleSegment (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x61200061fd58, p=0x61d0002ee080) at stream-tcp-reassemble.c:2004 #18 0x0000000000a6db6f in HandleEstablishedPacketToServer (tv=0x6120003f2440, ssn=0x61200061fcc0, p=0x61d0002ee080, stt=0x60700007ac80) at stream-tcp.c:2834 #19 0x0000000000a43d0b in StreamTcpPacketStateEstablished (tv=0x6120003f2440, p=0x61d0002ee080, stt=0x60700007ac80, ssn=0x61200061fcc0) at stream-tcp.c:3383 #20 0x0000000000a29c77 in StreamTcpStateDispatch (tv=0x6120003f2440, p=0x61d0002ee080, stt=0x60700007ac80, ssn=0x61200061fcc0, state=4 '\004') at stream-tcp.c:5420 #21 0x0000000000a1fa9f in StreamTcpPacket (tv=0x6120003f2440, p=0x61d0002ee080, stt=0x60700007ac80, pq=0x61000001f170) at stream-tcp.c:5618 #22 0x0000000000a2ac2d in StreamTcp (tv=0x6120003f2440, p=0x61d0002ee080, data=0x60700007ac80, pq=0x61000001f170) at stream-tcp.c:5934 #23 0x000000000090b335 in FlowWorkerStreamTCPUpdate (tv=0x6120003f2440, fw=0x61000001f140, p=0x61d0002ee080, detect_thread=0x0, timeout=false) at flow-worker.c:371 #24 0x0000000000909745 in FlowWorker (tv=0x6120003f2440, p=0x61d0002ee080, data=0x61000001f140) at flow-worker.c:599 #25 0x00000000005ca9fd in TmThreadsSlotVarRun (tv=0x6120003f2440, p=0x61d0002ee080, slot=0x6060000aa8a0) at tm-threads.c:135 #26 0x0000000000a1abe3 in TmThreadsSlotProcessPkt (tv=0x6120003f2440, s=0x6060000aa8a0, p=0x61d0002ee080) at ./tm-threads.h:200 #27 0x0000000000a19bfc in PcapFileCallbackLoop (user=0x60700007ac10 "P\261\b", h=0x7fffe331b980, pkt=0x62a00002a21c "\b") at source-pcap-file-helper.c:108 #28 0x00007ffff73dec54 in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8 #29 0x0000000000a18ae2 in PcapFileDispatch (ptv=0x60700007ac10) at source-pcap-file-helper.c:153 #30 0x0000000000a1370d in ReceivePcapFileLoop (tv=0x6120003f2440, data=0x60b00012f1e0, slot=0x6060000aa5a0) at source-pcap-file.c:181 #31 0x00000000005d7498 in TmThreadsSlotPktAcqLoop (td=0x6120003f2440) at tm-threads.c:318 #32 0x00007ffff6894ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #33 0x00007ffff6926850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
(gdb) f 1 #1 0x0000000000685516 in HttpRangeOpenFile (c=0x60d000060d28, start=49152, end=769328, total=769329, sbcfg=0x1485100 <htp_sbcfg>, name=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", name_len=24, flags=598, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:354 354 if (HttpRangeAppendData(sbcfg, r, data, len) < 0) { (gdb) l 349 uint64_t end, uint64_t total, const StreamingBufferConfig *sbcfg, const uint8_t *name, 350 uint16_t name_len, uint16_t flags, const uint8_t *data, uint32_t len) 351 { 352 HttpRangeContainerBlock *r = 353 HttpRangeOpenFileAux(c, start, end, total, sbcfg, name, name_len, flags); 354 if (HttpRangeAppendData(sbcfg, r, data, len) < 0) { 355 SCLogDebug("Failed to append data while opening"); 356 } 357 return r; 358 } (gdb) p r $1 = (HttpRangeContainerBlock *) 0x0 (gdb)
Updated by Philippe Antoine 5 months ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine 5 months ago
- Tracker changed from Bug to Security
- Severity set to MODERATE
- Disclosure Date set to 05/16/2024
- Label Needs backport to 7.0 added
Updated by Philippe Antoine 4 months ago
- Status changed from In Review to Resolved
Updated by Victor Julien 3 months ago
- Severity changed from MODERATE to CRITICAL
Updated by Victor Julien 3 months ago
- Severity changed from CRITICAL to HIGH
HIGH as http.memcap
is disabled by default.
Actions