Project

General

Profile

Actions

Bug #7157

closed

memcpy to unknow address due to CALLOC and Realloc without setting sc_errno

Added by chris tang 6 months ago. Updated 5 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
high
Label:
C, Needs backport to 7.0

Description

The StreamingBufferAppend and StreamingBufferAppendNoTrack logic utilizes sc_errno to validate the success of malloc and realloc operations. However, the malloc and realloc functions implemented at the application layer appear to not properly set the sc_errno value upon failure. This leads to a scenario where malloc failures result in a null pointer being returned, but the streamingbuffer component does not account for this error condition. Consequently, the subsequent memcpy operation triggers a crash.

In our 10 Gb/s production environment, we are experiencing frequent occurrences of these crashes, and we aim to address and resolve this issue.

int StreamingBufferAppend(StreamingBuffer *sb, const StreamingBufferConfig *cfg,
StreamingBufferSegment *seg, const uint8_t *data, uint32_t data_len) {
DEBUG_VALIDATE_BUG_ON(seg NULL);

if (sb->region.buf  NULL) {
if (InitBuffer(sb, cfg) == -1)
return -1;
}
int r = DataFits(sb, data_len);
if (r < 0) {
DEBUG_VALIDATE_BUG_ON(1);
return 1;
} else if (r 0) {
if (sb
>region.buf_size 0) {
if (GrowToSize(sb, cfg, data_len) != SC_OK) <----- applayer realloc did not set sc_errno value, so might be SC_OK
return 1;
} else {
if (GrowToSize(sb, cfg, sb
>region.buf_offset + data_len) != SC_OK) <----- applayer realloc did not set sc_errno value, so might be SC_OK
return -1;
}
}
DEBUG_VALIDATE_BUG_ON(DataFits(sb, data_len) != 1);
memcpy(sb->region.buf + sb->region.buf_offset, data, data_len);
}

Here is the stacktrace when crashed in production env


Files

clipboard-202407101120-ccw1m.png (10.8 MB) clipboard-202407101120-ccw1m.png chris tang, 07/10/2024 03:20 AM

Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Bug #6782: streaming/buffer: crash in HTTP body handlingClosedRichard McConnellActions
Actions #1

Updated by Victor Julien 6 months ago

Looks like a duplicate of #6782, fixed in master and 7.0.6. What version are you running?

Actions #2

Updated by Victor Julien 6 months ago

  • Priority changed from High to Normal
  • Label deleted (Needs backport to 7.0)
Actions #3

Updated by chris tang 5 months ago

  • Status changed from New to Rejected
  • Priority changed from Normal to High
  • Label Needs backport to 7.0 added

have been fixed in 7.0.6

Victor Julien wrote in #note-1:

Looks like a duplicate of #6782, fixed in master and 7.0.6. What version are you running?

I've checked that did fixed in 7.0.6.
We use 7.0.5.
Please close this issue, thanks.

Actions #4

Updated by Victor Julien 5 months ago

  • Assignee deleted (OISF Dev)
  • Priority changed from High to Normal
  • Target version deleted (TBD)
Actions #5

Updated by Victor Julien 5 months ago

  • Is duplicate of Bug #6782: streaming/buffer: crash in HTTP body handling added
Actions

Also available in: Atom PDF