Project

General

Profile

Actions

Bug #7610

closed

http: reachable assertion when memcap reached during rule reload

Added by Angelo Mirabella 5 months ago. Updated 9 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata can crash with HTTP traffic due to assertion "DetectEngineStateResetTxs" if reaching the memcap in between rule reloads.
This happens when suricata reaches HTTP memcap in "HTPCallbackRequestStart", cannot allocate "tx_ud" via "HTPCalloc" call and in the meantime there is a rule reload. When processing the following packet, in "DetectRunSetup", since the flow detection engine version is now different than the detection engine one due to the version bump happened in the rule reload, suricata will run "DetectEngineStateResetTxs".
In "DetectEngineStateResetTxs", the flow will be in a valid state but "AppLayerParserGetTxData" will return a NULL pointer (due to the previous allocation failure), thus triggering the subsequent BUG_ON statement and crashing suricata.
This bug seems to have been introduced by commit: 1ad71b96daa2b2655691cfce2a15ccd754d9b290
Attaching sample pcap to reproduce.

To reproduce:
- Use default suricata yaml and set `http.memcap: 113`. This will give enough memory to allocate the "HtpState" but will fail in creating the "HtpTxUserData" structure.
- Create dummy interface: ip link add dev dummy0 type dummy && ip link set dev dummy0 up
- Run suricata with command line: ./src/.libs/suricata -c suricata.yaml -k none --runmode=single -I dummy0
- Replay pcap (any pcap with an HTTP transaction should do). To reliably trigger the crash replay the first 4 packets, one packet at a time via: tcpreplay -i dummy0 -o crash.pcap. This to ensure we send the HTTP request before the rule reload.
- Trigger a rule reload: kill -s SIGUSR2 `pidof suricata`
- Send one more packet via tcpreplay and it should trigger the crash.


Files

crash.pcap (1.41 KB) crash.pcap Angelo Mirabella, 03/13/2025 02:23 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5739: htp: handle alloc failure for user dataClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine 5 months ago

  • Private changed from No to Yes
Actions #2

Updated by Philippe Antoine 5 months ago

  • Tracker changed from Bug to Security
  • Effort deleted (low)
  • Severity set to MODERATE
Actions #3

Updated by Philippe Antoine 5 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #4

Updated by Victor Julien 4 months ago

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions #5

Updated by Philippe Antoine 3 months ago

  • Assignee changed from OISF Dev to Philippe Antoine

@Angelo Mirabella is this fixed on master by recent fix to #5739 ?

Actions #6

Updated by Philippe Antoine 3 months ago

  • Related to Bug #5739: htp: handle alloc failure for user data added
Actions #8

Updated by Angelo Mirabella 3 months ago

Yes, I am not able to reproduce anymore.
Thanks!

Actions #9

Updated by Philippe Antoine 3 months ago

  • Target version changed from 8.0.0-rc1 to 7.0.11

Solved in master by #5739

Remains to fix in branch 7

Actions #10

Updated by Philippe Antoine 3 months ago

  • Status changed from New to In Review

Thanks Angelo, could you test https://github.com/OISF/suricata/pull/13101 for branch main7 ?

Actions #11

Updated by Philippe Antoine 3 months ago

  • Status changed from In Review to Closed
Actions #12

Updated by Victor Julien 28 days ago

  • Subject changed from Suricata crashes due to assertion when reaching HTTP memcap in the middle of a rule reload to http: reachable assertion when memcap reached during rule reload
Actions #13

Updated by Victor Julien 25 days ago

  • Tracker changed from Security to Bug
  • Severity deleted (MODERATE)

Since this requires first setting a restrictive memcap and then getting unlucky during a reload I'm going to treat this as a bug.

Actions #14

Updated by Jason Ish 9 days ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF