Bug #919
closedCore dump in debug mode for icmpv6 in detect.c
Description
When using suricata v1.4.3 on linux with debug enabled, the assertions in detect.c:1760 cause a core dump for certain icmpv6 packets.
Bug was identified using various Defcon 18 CTF pcap (but specifically number 204 will reproduce), and can be reproduced using just the icmpv6 packets from the number 204 capture.
Files
Updated by Peter Manev over 10 years ago
Would you please attach the pcap?
Can you verify with 1.4.5 - there were similar bug fixes in the release:
http://suricata-ids.org/news/
thanks
Updated by E Ermer over 10 years ago
Attaching pcap that causes failure in v1.4.3
Will also try to re-install to latest code and test again.
Updated by Peter Manev over 10 years ago
I have run the provided pcap through the latest stable - 1.4.5
There is no issue/coredump
Updated by E Ermer over 10 years ago
Peter,
I just installed 1.4.5 and WAS able to get the same core dump with the pcap file I uploaded.
I configured 1.4.5 as follows: ./configure --enable-unittests --enable-debug --enable-debug-validation
Then did a make and ran ./src/suricata
There is something different between 1.4.3 and 1.4.5 for this issue. For another pcap file (#0211 from Defcon 18 CTF) in version 1.4.3 I see an assertion failure for icmpv6 in 1.4.3 but in 1.4.5 for the same file there is an assertion for tcp.
- suricata
c /usr/local/etc/suricata/suricata.yaml -r /root/pcaps/defcon_18-ctf-0211.pcap13:58:09 - <Info> - This is Suricata version 1.4.3 RELEASE
11/8/2013 -
11/8/2013 -- 13:58:09 - <Info> - CPUs/cores online: 2
<snip>
11/8/2013 -- 13:59:15 - <Info> - all 4 packet processing threads, 3 management threads initialized, engine started.
suricata: detect.c:1760: Detect: Assertion `!((p)->icmpv6h ((void *)0))' failed.
Aborted (core dumped)
BUT in the new version I see an assertion core for tcp:
[suricata-1.4.5]# ./src/suricata c /usr/local/etc/suricata/suricata.yaml -r /root/pcaps/defcon_18-ctf-0211.pcap 13:51:50 - <Info> - This is Suricata version 1.4.5 RELEASE
11/8/2013 -
11/8/2013 -- 13:51:50 - <Info> - CPUs/cores online: 2
<snip>
11/8/2013 -- 13:52:56 - <Info> - all 4 packet processing threads, 3 management threads initialized, engine started.
lt-suricata: detect.c:1764: Detect: Assertion `!((p)->tcph ((void *)0))' failed.
Aborted (core dumped)
Since I'm still seeing the issue with the pcap I uploaded even in the latest version, is there any other configuration information you'd like me to provide?
Updated by Eric Leblond over 10 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
That's a border case. First of all debug validation is NOT supposed to be used for anything else than coding/debugging because it makes assumption on traffic quality AND cause a core dump which can be used for investigation by developers. Here we have IPv4 packet with ICMPv6 inside. And this is catch by the debug validation routine and reported as invalid.
The debug validation routine is wrong regarding ICMPv6 test which should be done only for IPv6 packets. A fix has been pushed to https://github.com/regit/suricata/tree/regit-1.4.6
In the case of ICMPv6 protocol inside IPv4, no decoding is done because suricata don't support the protocol ICMPv6 inside IPv4. So we have a packet with proto 58 and no header pointer set. Without debug validation, suricata is not crashing and a code study shows that having ICMPv6 as proto is not enough to trigger some IPv6 decoding and interpretation of the packet.
Elmer: Regarding the TCP issue, can you provide a link to all defcon 18 pcap ? I did not manage to find one working.
Updated by E Ermer over 10 years ago
Defcon CTF pcaps can be downloaded using tor:
http://defcon.org/html/torrent/DEF%20CON%2019%20ctf.torrent
http://defcon.org/html/torrent/DEF%20CON%2018%20ctf.torrent
There are some interesting differences between the v1.4.3 and v1.4.5 failures on detect.c assertions.
Where 1.4.3 failed on ICMPv6 (or not at all) v1.4.5 is failing on TCP traffic.
If you are able to download the Defcon 18 files, I suggest looking at the 200's. 0211 and 204 specifically cause errors.
Updated by Andreas Herz about 7 years ago
Is this still an issue with most recent suricata version?
Updated by Victor Julien about 7 years ago
Easy enough to validate I think Andreas.
Updated by Andreas Herz about 7 years ago
Well I can't reproduce it thus I'm asking. But I should also mention that `/configure --enable-unittests --enable-debug --enable-debug-validation` isn't valid anymore.
Updated by Victor Julien about 7 years ago
Guess you forgot to mention that in your ticket update :)
Updated by Andreas Herz about 7 years ago
- Status changed from Assigned to Closed
Closing then since it's not reproduceable anymore