Project

General

Profile

Security #6279

Updated by Simen Lybekk over 1 year ago

During testing of Suricata 7.0, we've noticed that Suricata occationally exits due to issues with SMTP traffic. 

 - SCMd5Update+0x00000013 
 - MimeDecParseLine+0x00000101 
 - SMTPProcessRequest.isra.15+0x000004ba 
 - SMTPPreProcessCommands.isra.16+0x0000010b 
 - SMTPParse+0x00000157 
 - AppLayerParserParse+0x00000343 

 The bug Some custom applayers are in use, but the MD5/SMTP code has not been reproduced on suricata-7.0.0 (21ec99aa7). touched. I'll look into testing without libunwind and the custom applayers. 
 Quick testing with SMTP applayer set to detection only and the file logger being configured to force MD5 hashing suggests the issue isn't tied directly to the new Rust MD5 hashing. 

 We don't currently have acquired a copy any coredumps or PCAPs of the traffic affected traffic. I'll update once we have more details on that triggers the flow, and produced a minimal PCAP for reproducing this. 
 Removing either the Received header or the PIPELINING feature flag stops the crash. front.

Back