Bug #8308
openplugins/ndpi: SIGSEGV in DetectnDPIProtocolPacketMatch
Description
I've been running Suricata 8.0.2 with nDPI in NFQ/IPS mode and the behavior is inconsistent. Sometimes it crashes repeatedly every ~2-5 minutes, other times it runs for days without any issues.
Environment:
- Suricata 8.0.2 + nDPI 4.14
- AArch64 / NixOS
The flow pointer passed to StorageGetById (x19) is NULL, which faults immediately on dereference. Looking at plugins/ndpi/ndpi.c, both DetectnDPIProtocolPacketMatch and DetectnDPIRiskPacketMatch call FlowGetStorageById(f, flow_storage_id) where f = p->flow. Both functions do have a f == NULL check but it appears after the storage lookup rather than before it. p->flow can be null? Which is what I think is triggering this.
PID: 355516 (Suricata-Main)
UID: 0 (root)
GID: 0 (root)
Signal: 11 (SEGV)
Timestamp: Wed 2026-02-18 14:07:02 UTC (4h 51min ago)
Command Line: /nix/store/4jdc5hyisvm448qn9ywbhg0ra2l3w8fs-suricata-8.0.2/bin/suricata -v -c /var/lib/suricata/suricata-nix.yaml -q 0
Executable: /nix/store/4jdc5hyisvm448qn9ywbhg0ra2l3w8fs-suricata-8.0.2/bin/suricata
Control Group: /system.slice/suricata.service
Unit: suricata.service
Slice: system.slice
Boot ID: 75497d86995e42b5aca1ffb346b021c2
Machine ID: 1ebfe5d0b2ed4b0b9c6dabaae9d0113f
Hostname: nixos
Storage: /var/lib/systemd/coredump/core.Suricata-Main.0.75497d86995e42b5aca1ffb346b021c2.355516.1771423622000000.zst (present)
Size on Disk: 112.4M
Message: Process 355516 (Suricata-Main) of user 0 dumped core.
Stack trace of thread 355710:
#0 0x0000aaaad7e9f6ac n/a (n/a + 0x0)
#1 0x0000ffff8ff066f8 n/a (n/a + 0x0)
#2 0x0000ffff8ff066f8 n/a (n/a + 0x0)
#3 0x0000aaaad7edebc0 n/a (n/a + 0x0)
#4 0x0000aaaad7ee2394 n/a (n/a + 0x0)
#5 0x0000aaaad7f1bc24 n/a (n/a + 0x0)
#6 0x0000aaaad7f1c880 n/a (n/a + 0x0)
#7 0x0000aaaad7f1e328 n/a (n/a + 0x0)
#8 0x0000aaaad7f25b18 n/a (n/a + 0x0)
#9 0x0000aaaad7e828f4 n/a (n/a + 0x0)
#10 0x0000aaaad7e84654 n/a (n/a + 0x0)
#11 0x0000ffff906201ec n/a (n/a + 0x0)
#12 0x0000ffff9069034c n/a (n/a + 0x0)
ELF object binary architecture: AARCH64
#0 0x0000aaaad7e9f6ac in StorageGetById ()
#1 0x0000ffff8ff066f8 in DetectnDPIProtocolPacketMatch () from /var/lib/chimera/ndpi.so
#2 0x0000aaaad7edebc0 in DetectEngineInspectRulePacketMatches ()
#3 0x0000aaaad7ee2394 in DetectEnginePktInspectionRun ()
#4 0x0000aaaad7f1bc24 in DetectRulePacketRules ()
#5 0x0000aaaad7f1c880 in DetectRun ()
#6 0x0000aaaad7f1e328 in Detect ()
#7 0x0000aaaad7f25b18 in FlowWorker ()
#8 0x0000aaaad7e828f4 in TmThreadsSlotVarRun ()
#9 0x0000aaaad7e84654 in TmThreadsSlotVar ()
#10 0x0000ffff906201ec in start_thread () from /nix/store/nl55hbsk5fjq2kyz3rkry1flndqfr3ry-glibc-2.40-66/lib/libc.so.6
#11 0x0000ffff9069034c in thread_start () from /nix/store/nl55hbsk5fjq2kyz3rkry1flndqfr3ry-glibc-2.40-66/lib/libc.so.6
x0 0x118 280
x1 0x1 1
x2 0x1 1
x3 0xaaab30f2d160 187652237349216
x4 0xffff8ff066d0 281473096640208
x5 0xaaaaffc57fe0 187651412295648
x6 0xaaaad7edeb60 187650743855968
x7 0xd 13
x8 0xffff7854ee40 281472700575296
x9 0xaaab30f01220 187652237169184
x10 0x80 128
x11 0xffffffff 4294967295
x12 0xffffffff 4294967295
x13 0x8 8
x14 0xaaab31971800 187652248115200
x15 0x0 0
x16 0xffff9006ef88 281473098117000
x17 0xaaaad7f23b60 187650744138592
x18 0xffff7854e2d4 281472700572372
x19 0x0 0
x20 0xaaab30f2d160 187652237349216
x21 0xffff801acf70 281472830984048
x22 0xffff78532e20 281472700460576
x23 0xaaaad88441c0 187650753708480
x24 0x4 4
x25 0x0 0
x26 0xaaab30f06f00 187652237192960
x27 0xffff801acf70 281472830984048
x28 0xffff7854ee40 281472700575296
x29 0xffff877ed530 281472954979632
x30 0xffff8ff066f8 281473096640248
sp 0xffff877ed530 0xffff877ed530
pc 0xaaaad7e9f6ac 0xaaaad7e9f6ac <StorageGetById+12>
cpsr 0x60001000 [ EL=0 BTYPE=0 SSBS C Z ]
fpsr 0x10 [ IXC ]
Updated by Victor Julien 3 days ago
- Status changed from New to In Progress
- Assignee set to Victor Julien
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 8.0 added
Updated by Victor Julien 3 days ago ยท Edited
- Status changed from In Progress to In Review
@antoineabf thanks for your report. Are you able to test https://github.com/OISF/suricata/pull/14846 ? It's against the main branch, so 9-dev. Will backport once merged there.
Updated by Antoine abf 3 days ago
Thanks for the quick response. I tried building https://github.com/OISF/suricata/pull/14846 but it fails to compile:
ndpi.c: In function 'DetectnDPIProtocolSetup':
ndpi.c:304:17: error: 'SIG_FLAG_REQUIRE_FLOW' undeclared (first use in this function); did you mean 'SIG_FLAG_REQUIRE_FLOWVAR'?
304 | s->flags |= SIG_FLAG_REQUIRE_FLOW;
| ^~~~~~~~~~~~~~~~~~~~~
| SIG_FLAG_REQUIRE_FLOWVAR
ndpi.c: In function 'DetectnDPIRiskSetup':
ndpi.c:440:17: error: 'SIG_FLAG_REQUIRE_FLOW' undeclared (first use in this function); did you mean 'SIG_FLAG_REQUIRE_FLOWVAR'?
440 | s->flags |= SIG_FLAG_REQUIRE_FLOW;
| ^~~~~~~~~~~~~~~~~~~~~
| SIG_FLAG_REQUIRE_FLOWVAR
SIG_FLAG_REQUIRE_FLOW doesn't appear to be defined in src/detect.h
Updated by Victor Julien 3 days ago
Whoops ya, can you try https://github.com/OISF/suricata/pull/14847
Updated by Antoine abf 3 days ago
Thank you for the quick fix! https://github.com/OISF/suricata/pull/14847 runs successfully.
However, I'm not sure how to replicate the crash condition. The SIGSEGV was intermittent, sometimes crashing continuously, other times running for days without issues. I don't know what traffic pattern triggers p->flow to be null. Do you have any idea why it was getting triggered? And maybe why no one else faced this issue?
Updated by Victor Julien 1 day ago
- Status changed from In Review to Resolved
https://github.com/OISF/suricata/pull/14856
p->flow can be null for various reasons, most commonly some protocols are not supporting flow tracking in suricata and also if there are issues like memcap reached.