Project

General

Profile

Bug #1217

Updated by Victor Julien over 8 years ago

When using --unix-socket to send cap files to be analized to Suricata running as a daemon, we see Suricata may segfault in unix-manager.c, at line 529 (happens with Suricata 1.4.5, 1.4.7, 2.0.1, on Debian 7 64 bit): 

 <pre> 
 Program terminated with signal 11, Segmentation fault 

 #0    0x000000000069ee43 in UnixMain (this=0x9eb400) at unix-manager.c:529 
         tv = {tv_sec = 0, tv_usec = 99923} 
         ret = 1 
         select_set = {fds_bits = {256, 0 <repeats 15 times>}} 
         uclient = 0x202d203e 
         __FUNCTION__ = "UnixMain" 
 #1    0x00000000006a2942 in UnixManagerThread (td=0x3ec90c0) at unix-manager.c:868 
         th_v = 0x3ec90c0 
         ret = 1 
         __FUNCTION__ = "UnixManagerThread" 
 #2    0x00007ff7e629eb50 in start_thread (arg=<optimized out>) at pthread_create.c:304 
         __res = <optimized out> 
         pd = 0x7ff7e566b700 
         unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140702682363648, 4220606397937000110, 140733771700112,  
 140702682364352, 140702708301888, 3, -4216123630546411858, -4216117486398300498}, mask_was_saved = 0}},  
 priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} 
         not_first_call = <optimized out> 
         freesize = <optimized out> 
         __PRETTY_FUNCTION__ = "start_thread" 
 #3    0x00007ff7e5b8c0ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 
 No locals. 
 #4    0x0000000000000000 in ?? () 
 </pre> 

 It looks these lines are what triggers the segfault: 

 <pre> 
 TAILQ_FOREACH(uclient, &this->clients, next) { 
         if (FD_ISSET(uclient->fd, &select_set)) {       // <<<< error here 
             UnixCommandRun(this, uclient); 
         } 
 </pre> 

 I see somewhere else TAILQ_FOREACH_SAFE is used, and actually UnixCommandRun() may end up calling TAILQ_REMOVE in UnixCommandClose(), I wonder if sometimes TAILQ_FOREACH could end returning and invalid item and thereby triggering the segfault. The segfault happens often enough, and dumps always point to the same source, but it's not easy to reproduce, we may have to run Suricata for a while while sending pcap files to it.

Back