Bug #3349
Updated by Victor Julien over 4 years ago
Suricata 5.0 crashes while rule reload and performing flow detect. Backtrace <pre> #0 0x00007fb6ce86e337 in raise () from /lib64/libc.so.6 #1 0x00007fb6ce86fa28 in abort () from /lib64/libc.so.6 #2 0x00007fb6ce8b0e87 in __libc_message () from /lib64/libc.so.6 #3 0x00007fb6ce8b9679 in _int_free () from /lib64/libc.so.6 #4 0x00000000004aa43f in DetectEngineThreadCtxFree (det_ctx=0x7fb6a4a96ce0) at detect-engine.c:2559 #5 0x00000000004ad8f7 in DetectEngineThreadCtxDeinit (tv=<optimized out>, data=0x7fb6a4a96ce0) at detect-engine.c:2604 #6 0x00000000004ae090 in DetectEngineReloadThreads (new_de_ctx=new_de_ctx@entry=0xa8dcf20) at detect-engine.c:1543 #7 0x00000000004b1890 in DetectEngineReload (suri=suri@entry=0xa81100 <suricata>) at detect-engine.c:3681 #8 0x000000000041fd55 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2860 #9 main (argc=<optimized out>, argv=<optimized out>) at suricata.c:3021 </pre> reason: <pre> InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id) { InspectionBuffer *buffer = &det_ctx->inspect.buffers[list_id]; if (buffer->inspect == NULL) { det_ctx->inspect.to_clear_queue[det_ctx->inspect.to_clear_idx++] = list_id; } return buffer; } </pre> The size of det_ctx->inspect.to_clear_idx will exceed det_ctx->inspect.buffers_size during run, resulting in memory out of bounds.