Bug #7610
closedhttp: reachable assertion when memcap reached during rule reload
Description
Suricata can crash with HTTP traffic due to assertion "DetectEngineStateResetTxs" if reaching the memcap in between rule reloads.
This happens when suricata reaches HTTP memcap in "HTPCallbackRequestStart", cannot allocate "tx_ud" via "HTPCalloc" call and in the meantime there is a rule reload. When processing the following packet, in "DetectRunSetup", since the flow detection engine version is now different than the detection engine one due to the version bump happened in the rule reload, suricata will run "DetectEngineStateResetTxs".
In "DetectEngineStateResetTxs", the flow will be in a valid state but "AppLayerParserGetTxData" will return a NULL pointer (due to the previous allocation failure), thus triggering the subsequent BUG_ON statement and crashing suricata.
This bug seems to have been introduced by commit: 1ad71b96daa2b2655691cfce2a15ccd754d9b290
Attaching sample pcap to reproduce.
To reproduce:
- Use default suricata yaml and set `http.memcap: 113`. This will give enough memory to allocate the "HtpState" but will fail in creating the "HtpTxUserData" structure.
- Create dummy interface: ip link add dev dummy0 type dummy && ip link set dev dummy0 up
- Run suricata with command line: ./src/.libs/suricata -c suricata.yaml -k none --runmode=single -I dummy0
- Replay pcap (any pcap with an HTTP transaction should do). To reliably trigger the crash replay the first 4 packets, one packet at a time via: tcpreplay -i dummy0 -o crash.pcap. This to ensure we send the HTTP request before the rule reload.
- Trigger a rule reload: kill -s SIGUSR2 `pidof suricata`
- Send one more packet via tcpreplay and it should trigger the crash.
Files
Updated by Philippe Antoine 5 months ago
- Tracker changed from Bug to Security
- Effort deleted (
low) - Severity set to MODERATE
Updated by Philippe Antoine 5 months ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Victor Julien 4 months ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Updated by Philippe Antoine 3 months ago
- Assignee changed from OISF Dev to Philippe Antoine
@Angelo Mirabella is this fixed on master by recent fix to #5739 ?
Updated by Philippe Antoine 3 months ago
- Related to Bug #5739: htp: handle alloc failure for user data added
Updated by Philippe Antoine 3 months ago
And https://github.com/OISF/suricata/pull/13078 was a follow-up
Updated by Angelo Mirabella 3 months ago
Yes, I am not able to reproduce anymore.
Thanks!
Updated by Philippe Antoine 3 months ago
- Target version changed from 8.0.0-rc1 to 7.0.11
Solved in master by #5739
Remains to fix in branch 7
Updated by Philippe Antoine 3 months ago
- Status changed from New to In Review
Thanks Angelo, could you test https://github.com/OISF/suricata/pull/13101 for branch main7 ?
Updated by Philippe Antoine 3 months ago
- Status changed from In Review to Closed
Updated by Victor Julien 28 days ago
- Subject changed from Suricata crashes due to assertion when reaching HTTP memcap in the middle of a rule reload to http: reachable assertion when memcap reached during rule reload
Updated by Victor Julien 25 days ago
- Tracker changed from Security to Bug
- Severity deleted (
MODERATE)
Since this requires first setting a restrictive memcap and then getting unlucky during a reload I'm going to treat this as a bug.