Bug #88
closedProcessing the attached pcap causes segv inside of DCERPCParseHeader.
Description
ulimit -c unlimited; src/suricata -c suricata.yaml -r ./suricata37.pcap-fuzz-2010-02-10-23-57-38-segv -l ./
.....
Segmentation fault (core dumped)
coz@coz-desktop:~/downloads/suricatafuzz3$ gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/coz/downloads/suricatafuzz3/src/suricata...done.
[New Thread 15849]
[New Thread 15855]
[New Thread 15856]
[New Thread 15114]
[New Thread 15851]
[New Thread 15852]
[New Thread 15853]
[New Thread 15854]
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/local/lib/libhtp-0.2.so.1...done.
Loaded symbols for /usr/local/lib/libhtp-0.2.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `src/suricata c suricata.yaml -r ./suricata37.pcap-fuzz-2010-02-10-23-57-38-seg'.>dcerpchdr.rpc_vers = *p;
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004af17a in DCERPCParseHeader (dcerpc=0xe5fb278, input=0x7f4d30d5cdea <Address 0x7f4d30d5cdea out of bounds>, input_len=34) at app-layer-dcerpc.c:871
871 dcerpc
(gdb) bt full
#0 0x00000000004af17a in DCERPCParseHeader (dcerpc=0xe5fb278, input=0x7f4d30d5cdea <Address 0x7f4d30d5cdea out of bounds>, input_len=34) at app-layer-dcerpc.c:871
p = 0x7f4d30d5cdea <Address 0x7f4d30d5cdea out of bounds>
#1 0x00000000004af715 in DCERPCParser (dcerpc=0xe5fb278, input=0x7f4d30d5cdea <Address 0x7f4d30d5cdea out of bounds>, input_len=34) at app-layer-dcerpc.c:985
retval = 0
parsed = 0
#2 0x00000000004aa855 in DataParser (smb_state=0xe5fb200, pstate=0x32cfcc8, input=0x7f4d30d5cdea <Address 0x7f4d30d5cdea out of bounds>, input_len=34, output=0x7f4c2fffea40) at app-layer-smb.c:539
sstate = 0xe5fb200
parsed = 0
#3 0x00000000004aad06 in SMBParseByteCount (f=0x1456680, smb_state=0xe5fb200, pstate=0x32cfcc8, input=0x7f4d30d5cdea <Address 0x7f4d30d5cdea out of bounds>, input_len=34, output=0x7f4c2fffea40) at app-layer-smb.c:673
sstate = 0xe5fb200
p = 0x7f4d30d5cdea <Address 0x7f4d30d5cdea out of bounds>
retval = 0
parsed = 0
#4 0x00000000004abc94 in SMBParse (f=0x1456680, smb_state=0xe5fb200, pstate=0x32cfcc8, input=0x7f4c30d5cc0c "", input_len=34, output=0x7f4c2fffea40) at app-layer-smb.c:1024
sstate = 0xe5fb200
retval = 4294967279
parsed = 4294967774
#5 0x00000000004a62e9 in AppLayerDoParse (f=0x1456680, app_layer_state=0xe5fb200, parser_state=0x32cfcc8, input=0x7f4c30d5cc0c "", input_len=512, parser_idx=9, proto=10) at app-layer-parser.c:634
retval = 0
result = {head = 0x0, tail = 0x0, cnt = 0}
r = 1
PRETTY_FUNCTION = "AppLayerDoParse"
e = 0x0
#6 0x00000000004a686f in AppLayerParse (f=0x1456680, proto=10 '\n', flags=4 '\004', input=0x7f4c30d5cc0c "", input_len=512) at app-layer-parser.c:794
parser_idx = 9
p = 0x6ff620
ssn = 0x7f4c30d118c0
parser_state_store = 0x32cfcb0
parser_state = 0x32cfcc8
app_layer_state = 0xe5fb200
r = 0
FUNCTION = "AppLayerParse"
#7 0x00000000004a3103 in AppLayerHandleMsg (dp_ctx=0xedc85e8, smsg=0x7f4c30d5cbd0) at app-layer-detect-proto.c:407
alproto = 10
r = 0
ssn = 0x7f4c30d118c0
#8 0x0000000000497a8e in StreamTcpReassembleProcessAppLayer (ra_ctx=0xedc85e0) at stream-tcp-reassemble.c:1560
smsg = 0x7f4c30d5cbd0
r = 0
#9 0x0000000000494a2f in StreamTcpPacket (tv=0x3798b40, p=0x1181e50, stt=0x7506c90) at stream-tcp.c:2472
ssn = 0x7f4c30d118c0
#10 0x0000000000494ac9 in StreamTcp (tv=0x3798b40, p=0x1181e50, data=0x7506c90, pq=0xefa3cf0) at stream-tcp.c:2490
stt = 0x7506c90
ret = TM_ECODE_OK
#11 0x0000000000486300 in TmThreadsSlot1 (td=0x3798b40) at tm-threads.c:326
tv = 0x3798b40
s = 0xefa3cc0
p = 0x1181e50
run = 1 '\001'
r = TM_ECODE_OK
#12 0x00007f4c39795a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7f4c2ffff910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139965199546640, 870293199567435764, 140734394269888, 0, 0, 3, 969477944432412684, 969516370688231436}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
---Type <return> to continue, or q <return> to quit--
robust = <value optimized out>
#13 0x00007f4c390b080d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#14 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)
Files
Updated by Kirby Kuehl almost 15 years ago
- File 0001-bug-88-validate-dcerpc-header.patch 0001-bug-88-validate-dcerpc-header.patch added
- File 0002-smb-safety-checks.patch 0002-smb-safety-checks.patch added
- File 0003-fix-bug88.patch 0003-fix-bug88.patch added
- % Done changed from 0 to 90
This issue surfaced on 64-bit machines, but was a validation bug on 32/64 bit. The attached 3 incremental patches provided better validation and take care of the reported crash.
Updated by Victor Julien almost 15 years ago
- Status changed from New to Closed
Patches applied, thanks Kirby!