Project

General

Profile

Actions
Copy link

Bug #725

closed

Segfault in TLS parsing, possibly related to client certificates.

Added by Charles Smutz over 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Anoop Saldanha
Target version:
1.4.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata segfaults in the SSL decoding routines. I believe this is only occurring when the client provides a certificate for authentication, and it seems only certain classes of client certificates trigger this condition.
I've provided an example of the backtrace information below.

$ /usr/sbin/suricata -c suricata.yaml -r suricata-ssl-segfault-sanitized.pcap
14/1/2013 -- 19:40:38 - <Info> - This is Suricata version 1.4 RELEASE
14/1/2013 -- 19:40:38 - <Info> - CPUs/cores online: 24
*** glibc detected *** /usr/sbin/suricata: free(): invalid next size (normal): 0x000000000c5b7910 ***
======= Backtrace: =========
/lib64/libc.so.6[0x35234716af]
/lib64/libc.so.6[0x35234736b9]
/lib64/libc.so.6(realloc+0x102)[0x3523475b22]
/usr/sbin/suricata[0x42ca9c]
/usr/sbin/suricata[0x42d420]
/usr/sbin/suricata[0x41ff45]
/usr/sbin/suricata[0x422462]
/usr/sbin/suricata[0x4fb0f5]
/usr/sbin/suricata[0x4fc555]
/usr/sbin/suricata[0x4f583b]
/usr/sbin/suricata[0x4f8789]
/usr/sbin/suricata[0x4f904e]
/usr/sbin/suricata[0x50bbd7]
/usr/sbin/suricata[0x50d211]
/lib64/libpthread.so.0[0x352440683d]
/lib64/libc.so.6(clone+0x6d)[0x35234d503d]
======= Memory map: ========
00400000-00618000 r-xp 00000000 69:06 2920537                            /usr/sbin/suricata
00818000-00819000 r--p 00218000 69:06 2920537                            /usr/sbin/suricata
00819000-0081f000 rw-p 00219000 69:06 2920537                            /usr/sbin/suricata
0081f000-0085b000 rw-p 0081f000 00:00 0
00a1e000-00a20000 rw-p 0021e000 69:06 2920537                            /usr/sbin/suricata
0a44c000-0c80d000 rw-p 0a44c000 00:00 0                                  [heap]
3523000000-352301c000 r-xp 00000000 69:06 7791180                        /lib64/ld-2.5.so
...
2b03971d9000-2b0397bd9000 rw-p 2b03971d9000 00:00 0
2b0397bd9000-2b0397bda000 ---p 2b0Aborted (core dumped)

$ gdb /usr/sbin/suricata core.4887
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-45.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying" 
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/suricata...Reading symbols from /usr/lib/debug/usr/sbin/suricata.debug...done.
done.

warning: core file may not match specified executable file.
...
Core was generated by `/usr/sbin/suricata -c suricata.yaml -r suricata-ssl-segfault-sanitized.pcap'.
Program terminated with signal 6, Aborted.
#0  0x00000035234302c5 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00000035234302c5 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003523431d70 in abort () at abort.c:88
#2  0x0000003523469b4b in __libc_message (do_abort=2, fmt=0x3523523888 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00000035234716af in malloc_printerr (av=0x35237549e0, p=0xc5b7900, have_lock=1) at malloc.c:6211
#4  _int_free (av=0x35237549e0, p=0xc5b7900, have_lock=1) at malloc.c:4738
#5  0x00000035234736b9 in _int_realloc (av=0x35237549e0, oldp=0xc5b4210, nb=14064) at malloc.c:5291
#6  0x0000003523475b22 in __libc_realloc (oldmem=0xc5b4220, bytes=14045) at malloc.c:3768
#7  0x000000000042ca9c in SSLv3ParseHandshakeProtocol (direction=<value optimized out>, ssl_state=0xb43b9f0, pstate=0x101010101010101, input=<value optimized out>, input_len=4096)
    at app-layer-ssl.c:154
#8  SSLv3Decode (direction=<value optimized out>, ssl_state=0xb43b9f0, pstate=0x101010101010101, input=<value optimized out>, input_len=4096) at app-layer-ssl.c:651
#9  0x000000000042d420 in SSLDecode (f=<value optimized out>, direction=0 '\000', alstate=0xb43b9f0, pstate=0xb433c58,
    input=0x2b03953d1690 "ver-optional-debug-rpms0\032\006\r+\006\001\004\001\222\b\t\002\201%\001\005\004\t\f\aRed Hat0S\006\r+\006\001\004\001\222\b\t\002\201%\001\006\004B\f@/content/dist/rhel/server/6/$releasever/$basearch/optional/debug0E\006\r+\006\001\004\001\222\b\t\002\201%\001\a\004\064\f2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-"..., ilen=16843009)
    at app-layer-ssl.c:807
#10 0x000000000041ff45 in AppLayerDoParse (local_data=0x0, f=0xb442830, app_layer_state=0xb43b9f0, parser_state=0xb433c58, input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>,
    input_len=4294967295, parser_idx=3, proto=4) at app-layer-parser.c:752
#11 0x0000000000422462 in AppLayerParse (local_data=0x0, f=0xb442830, proto=4 '\004', flags=<value optimized out>,
    input=0x2b03953d1690 "ver-optional-debug-rpms0\032\006\r+\006\001\004\001\222\b\t\002\201%\001\005\004\t\f\aRed Hat0S\006\r+\006\001\004\001\222\b\t\002\201%\001\006\004B\f@/content/dist/rhel/server/6/$releasever/$basearch/optional/debug0E\006\r+\006\001\004\001\222\b\t\002\201%\001\a\004\064\f2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-"..., input_len=4096)
    at app-layer-parser.c:964
#12 0x00000000004fb0f5 in StreamTcpReassembleAppLayer (tv=0xb71ef60, ra_ctx=0xb7205f0, ssn=0x2b039a5988e8, stream=0x2b039a598938, p=0xb3b3600) at stream-tcp-reassemble.c:2873
#13 StreamTcpReassembleHandleSegmentUpdateACK (tv=0xb71ef60, ra_ctx=0xb7205f0, ssn=0x2b039a5988e8, stream=0x2b039a598938, p=0xb3b3600) at stream-tcp-reassemble.c:3348
#14 0x00000000004fc555 in StreamTcpReassembleHandleSegment (tv=0x1317, ra_ctx=0x134a, ssn=0x6, stream=0x2b039a5988f0, p=0xffffffff, pq=0x101010101010101) at stream-tcp-reassemble.c:3422
#15 0x00000000004f583b in HandleEstablishedPacketToClient (tv=0xb71ef60, p=0xb3b3600, stt=0xb71f970, ssn=0x2b039a5988e8, pq=0xb71f978) at stream-tcp.c:1847
#16 StreamTcpPacketStateEstablished (tv=0xb71ef60, p=0xb3b3600, stt=0xb71f970, ssn=0x2b039a5988e8, pq=0xb71f978) at stream-tcp.c:2093
#17 0x00000000004f8789 in StreamTcpPacket (tv=0xb71ef60, p=0xb3b3600, stt=0xb71f970, pq=0xb71f0a0) at stream-tcp.c:3836
#18 0x00000000004f904e in StreamTcp (tv=0xb71ef60, p=0xb3b3600, data=0xb71f970, pq=0xb71f0a0, postpq=<value optimized out>) at stream-tcp.c:4076
#19 0x000000000050bbd7 in TmThreadsSlotVarRun (tv=0xb71ef60, p=0xb3b3600, slot=<value optimized out>) at tm-threads.c:532
#20 0x000000000050d211 in TmThreadsSlotVar (td=0xb71ef60) at tm-threads.c:773
#21 0x000000352440683d in start_thread (arg=<value optimized out>) at pthread_create.c:301
#22 0x00000035234d503d in clone () from /lib64/libc.so.6
Actions
Copy link
 #1

Updated by Anoop Saldanha over 11 years ago

Is it possible to get a pcap for this?

Actions
Copy link
 #2

Updated by Charles Smutz over 11 years ago

Yes, I can provide a pcap privately. I'll contact you to discuss how to transfer it.

Actions
Copy link
 #3

Updated by Victor Julien about 11 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 1.4.1
Actions
Copy link
 #4

Updated by Victor Julien about 11 years ago

  • Priority changed from Normal to Urgent
Actions
Copy link
 #5

Updated by Charles Smutz about 11 years ago

I've done a fair amount testing of proposed fix (pull 292) and all seems to be working fine. I consider this issue fixed. Thanks.

Actions
Copy link
 #7

Updated by Victor Julien about 11 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF