Bug #7829
openLua: tx:response_line() causes segfault on NULL
Description
- Summary:
Calling `tx:response_line()` or `tx:request_line()` in a Lua script may cause Suricata to crash with a segmentation fault when the HTTP transaction is incomplete or malformed.
- Reproduction:
When running Suricata with a Lua script that accesses `tx:response_line()`, the engine may crash with a SIGSEGV like this:
[New Thread 0x7fffaa3ff6c0 (LWP 3629664)]
[New Thread 0x7fffa91ff6c0 (LWP 3629681)]
[New Thread 0x7fffa89fe6c0 (LWP 3629682)]
[New Thread 0x7fff97fff6c0 (LWP 3629683)]
[New Thread 0x7fff977fe6c0 (LWP 3629684)]
i: threads: Threads created -> W: 16 FM: 1 FR: 1 Engine started.
Thread 12 "W#10-enp130s0f0" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc99ff6c0 (LWP 3629571)]
suricata_htp::c_api::bstr::bstr_len (x=0x0) at htp/src/c_api/bstr.rs:27
27 (*x).len()
(gdb) bt full
#0 suricata_htp::c_api::bstr::bstr_len (x=0x0) at htp/src/c_api/bstr.rs:27
No locals.
#1 0x00005555557acaa4 in LuaHttpGetResponseLine (luastate=0x555557aa9478) at util-lua-http.c:122
tx = 0x7fffc30d5a58
#2 0x0000555555afd1a3 in luaD_precall ()
No symbol table info available.
#3 0x0000555555b0c395 in luaV_execute ()
No symbol table info available.
#4 0x0000555555afd4bd in luaD_callnoyield ()
No symbol table info available.
#5 0x0000555555afc303 in luaD_rawrunprotected ()
No symbol table info available.
#6 0x0000555555afd8e4 in luaD_pcall ()
No symbol table info available.
#7 0x0000555555af9b95 in lua_pcallk ()
No symbol table info available.
#8 0x0000555555800110 in LuaTxLogger (tv=0x5555596b09b0, thread_data=0x7fffc28c9600, p=0x7fffc14c06b0, f=0x7fff9d6f1300, alstate=<optimized out>, txptr=0x7fffc368a030, tx_id=0) at output-lua.c:98
td = 0x7fffc28c9600
retval = <optimized out>
FUNCTION = "LuaTxLogger"
#9 0x0000555555776c94 in OutputTxLogCallLoggers (op_thread_data=0x7fffc30e9c60, alproto=<optimized out>, ctx=<synthetic pointer>, tx_progress_tc=0, tx_progress_ts=5, eof=true, tx_id=0, tx=0x7fffc368a030, alstate=<optimized out>,
f=<error reading variable: Cannot access memory at address 0x0>, p=<error reading variable: Cannot access memory at address 0x0>, store=0x7fffc28c94e0, logger=0x555557a91360, tv=<error reading variable: Cannot access memory at address 0x0>) at output-tx.c:321
next_logger = <optimized out>
#10 OutputTxLog (tv=0x5555596b09b0, p=0x7fffc14c06b0, thread_data=0x7fffc30e9c60) at output-tx.c:498
tx = 0x7fffc368a030
tx_progress_ts = <optimized out>
tx_progress_tc = 0
logger = <optimized out>
store = <optimized out>
ctx = {tx_logged_old = <optimized out>, tx_logged = 160}
ires = {tx_ptr = 0x7fffc368a030, tx_id = <optimized out>, has_next = <optimized out>}
txd = <optimized out>
tx_complete = <optimized out>
op_thread_data = 0x7fffc30e9c60
f = <optimized out>
ipproto = 6 '\006'
alproto = <optimized out>
file_logging_active = <optimized out>
end = <optimized out>
alstate = 0x7fffc335ca60
logger_expectation = 161
last_pseudo = <optimized out>
ts_eof = true
tc_eof = true
eof = true
ts_disrupt_flags = 4 '\004'
tc_disrupt_flags = 8 '\b'
total_txs = 1
tx_id = 0
max_id = <optimized out>
logged = <optimized out>
gap = false
support_files = true
pkt_dir = <optimized out>
IterFunc = 0x5555556e9940 <HTPGetTxIterator>
state = {un = {ptr = 0x0, u64 = 0}}