Project

General

Profile

Actions

Bug #7176

closed

ldap: crash when encountering GAP

Added by Victor Julien 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
High
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Parser claims to support GAPs, however crashes when receiving one

Thread 53 "W#51" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffdb17fa640 (LWP 17428)]            
asn1_rs::ber::parser::parse_identifier (i=...) at src/ber/parser.rs:119
119             let mut c = u32::from(i[0] & 0b0001_1111);   
(gdb) bt
#0  asn1_rs::ber::parser::parse_identifier (i=...) at src/ber/parser.rs:119
#1  0x0000555555ba623b in asn1_rs::header::{impl#3}::from_ber (bytes=...) at src/header.rs:229
#2  0x0000555555bad23a in asn1_rs::asn1_types::any::{impl#2}::from_ber (bytes=...) at src/asn1_types/any.rs:325
#3  0x0000555555cefa7f in asn1_rs::traits::{impl#4}::from_ber<asn1_rs::asn1_types::sequence::Sequence, asn1_rs::error::Error> (bytes=...) at /home/victor/.cargo/registry/src/index.crates.io-6f17d22bba15001f/asn1-rs-0.6.1/src/traits.rs:95
#4  asn1_rs::asn1_types::sequence::Sequence::from_ber_and_then<ldap_parser::ldap::LdapMessage, ldap_parser::parser::{impl#5}::from_ber::{closure_env#0}, ldap_parser::error::LdapError> (bytes=..., op=...)
    at /home/victor/.cargo/registry/src/index.crates.io-6f17d22bba15001f/asn1-rs-0.6.1/src/asn1_types/sequence.rs:111
#5  0x0000555555b29b19 in ldap_parser::parser::{impl#5}::from_ber (bytes=...) at src/parser.rs:232
#6  0x0000555555a49a9d in suricata::ldap::types::ldap_parse_msg (input=...) at src/ldap/types.rs:644
#7  suricata::ldap::ldap::LdapState::parse_response (self=0x7ffd64f02580, input=...) at src/ldap/ldap.rs:200
#8  suricata::ldap::ldap::SCLdapParseResponse (_flow=<optimized out>, state=0x7ffd64f02580, pstate=<optimized out>, stream_slice=..., _data=<optimized out>) at src/ldap/ldap.rs:337
#9  0x00005555556e6066 in AppLayerParserParse (tv=0x5555571aa170, alp_tctx=0x7ffd64df67f0, f=0x7ffd64f55c90, alproto=30, flags=24 '\030', input=0x0, input_len=14400) at app-layer-parser.c:1363
#10 0x00005555556ca088 in AppLayerHandleTCPData (tv=0x5555571aa170, ra_ctx=0x7ffd64df10c0, p=0x7ffff0c279d0, f=0x7ffd64f55c90, ssn=0x7ffd64ecc870, stream=0x7ffdb17f8ef8, data=0x0, data_len=14400, flags=24 '\030', app_update_dir=UPDATE_DIR_OPPOSING) at app-layer.c:752

Quick fixup seems to fix it up:
diff --git a/rust/src/ldap/ldap.rs b/rust/src/ldap/ldap.rs
index 0817b4c9f..d696ca10a 100644
--- a/rust/src/ldap/ldap.rs
+++ b/rust/src/ldap/ldap.rs
@@ -402,7 +402,7 @@ pub unsafe extern "C" fn rs_ldap_register_parser() {
         get_tx_data: SCLdapGetTxData,
         get_state_data: SCLdapGetStateData,
         apply_tx_config: None,
-        flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
+        flags: 0,//APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
         get_frame_id_by_name: None,
         get_frame_name_by_id: None,
     };


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #7193: ldap: parser does not accept gaps yetRejectedPhilippe AntoineActions
Actions #1

Updated by Victor Julien 5 months ago

  • Description updated (diff)
Actions #2

Updated by Giuseppe Longo 5 months ago

Right, GAPs are not supported atm and must not be accepted.
I'll send a PR with this change.

Actions #3

Updated by Victor Julien 5 months ago

  • Related to Bug #7193: ldap: parser does not accept gaps yet added
Actions #5

Updated by Philippe Antoine 5 months ago

  • Status changed from Assigned to In Review

https://github.com/OISF/suricata/pull/11582 has one commit to solve this

Actions #6

Updated by Giuseppe Longo 5 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF