Bug #1217
Updated by Victor Julien almost 10 years ago
When using --unix-socket to send cap files to be analized to Suricata running as a daemon, we see Suricata may segfault in unix-manager.c, at line 529 (happens with Suricata 1.4.5, 1.4.7, 2.0.1, on Debian 7 64 bit): <pre> Program terminated with signal 11, Segmentation fault #0 0x000000000069ee43 in UnixMain (this=0x9eb400) at unix-manager.c:529 tv = {tv_sec = 0, tv_usec = 99923} ret = 1 select_set = {fds_bits = {256, 0 <repeats 15 times>}} uclient = 0x202d203e __FUNCTION__ = "UnixMain" #1 0x00000000006a2942 in UnixManagerThread (td=0x3ec90c0) at unix-manager.c:868 th_v = 0x3ec90c0 ret = 1 __FUNCTION__ = "UnixManagerThread" #2 0x00007ff7e629eb50 in start_thread (arg=<optimized out>) at pthread_create.c:304 __res = <optimized out> pd = 0x7ff7e566b700 unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140702682363648, 4220606397937000110, 140733771700112, 140702682364352, 140702708301888, 3, -4216123630546411858, -4216117486398300498}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out> freesize = <optimized out> __PRETTY_FUNCTION__ = "start_thread" #3 0x00007ff7e5b8c0ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 No locals. #4 0x0000000000000000 in ?? () </pre> It looks these lines are what triggers the segfault: <pre> TAILQ_FOREACH(uclient, &this->clients, next) { if (FD_ISSET(uclient->fd, &select_set)) { // <<<< error here UnixCommandRun(this, uclient); } </pre> I see somewhere else TAILQ_FOREACH_SAFE is used, and actually UnixCommandRun() may end up calling TAILQ_REMOVE in UnixCommandClose(), I wonder if sometimes TAILQ_FOREACH could end returning and invalid item and thereby triggering the segfault. The segfault happens often enough, and dumps always point to the same source, but it's not easy to reproduce, we may have to run Suricata for a while while sending pcap files to it.