Bug #1555
Updated by Victor Julien over 8 years ago
<pre> uname -a OpenBSD fw 5.7 GENERIC.MP#767 i386 suricata -V This is Suricata version 2.1dev (rev 4a73802) gdb suricata suricata.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-openbsd5.7"... Core was generated by `suricata'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libpthread.so.18.1...done. Loaded symbols for /usr/lib/libpthread.so.18.1 Loaded symbols for /usr/local/bin/suricata Reading symbols from /usr/local/lib/libhtp.so.1.0...done. Loaded symbols for /usr/local/lib/libhtp.so.1.0 Reading symbols from /usr/local/lib/libGeoIP.so.9.0...done. Loaded symbols for /usr/local/lib/libGeoIP.so.9.0 Reading symbols from /usr/local/lib/libmagic.so.4.2...done. Loaded symbols for /usr/local/lib/libmagic.so.4.2 Reading symbols from /usr/lib/libz.so.5.0...done. Loaded symbols for /usr/lib/libz.so.5.0 Reading symbols from /usr/local/lib/libiconv.so.6.0...done. Loaded symbols for /usr/local/lib/libiconv.so.6.0 Reading symbols from /usr/lib/libpcap.so.8.0...done. Loaded symbols for /usr/lib/libpcap.so.8.0 Reading symbols from /usr/local/lib/libnet.so.11.0...done. Loaded symbols for /usr/local/lib/libnet.so.11.0 Reading symbols from /usr/local/lib/libjansson.so.1.0...done. Loaded symbols for /usr/local/lib/libjansson.so.1.0 Symbols already loaded for /usr/lib/libpthread.so.18.1 Reading symbols from /usr/local/lib/libyaml.so.0.0...done. Loaded symbols for /usr/local/lib/libyaml.so.0.0 Reading symbols from /usr/local/lib/libpcre.so.3.0...done. Loaded symbols for /usr/local/lib/libpcre.so.3.0 Reading symbols from /usr/local/lib/libplds4.so.23.1...done. Loaded symbols for /usr/local/lib/libplds4.so.23.1 Reading symbols from /usr/local/lib/libplc4.so.23.1...done. Loaded symbols for /usr/local/lib/libplc4.so.23.1 Reading symbols from /usr/local/lib/libnspr4.so.23.1...done. Loaded symbols for /usr/local/lib/libnspr4.so.23.1 Reading symbols from /usr/lib/libc.so.78.1...done. Loaded symbols for /usr/lib/libc.so.78.1 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so #0 memcpy (dst0=0x7b376a08, src0=0x7b97336f, length=0) at /usr/src/lib/libc/string/memcpy.c:88 88 TLOOP1(*dst++ = *src++); (gdb) print dst $1 = 0x7b43d699 "" (gdb) print src $2 = 0x7ba3a000 <Address 0x7ba3a000 out of bounds> (gdb) where #0 memcpy (dst0=0x7b376a08, src0=0x7b97336f, length=0) at /usr/src/lib/libc/string/memcpy.c:88 #1 0x1ac0ea3a in PacketCopyData (p=0x7b376550, pktdata=0x7b97336f "", pktlen=-83919010) at decode.c:229 #2 0x1ad292de in PcapCallbackLoop (user=0x833c7500 "", h=0x7b96c7f0, pkt=0x7b97336f "") at source-pcap.c:253 #3 0x0190928d in pcap_read (p=0x8b64ae00, cnt=64, callback=0x1ad29220 <PcapCallbackLoop>, user=0x833c7500 "") at /usr/src/lib/libpcap/pcap-bpf.c:188 #4 0x01907b9d in pcap_dispatch (p=0x8b64ae00, cnt=64, callback=0x1ad29220 <PcapCallbackLoop>, user=0x833c7500 "") at /usr/src/lib/libpcap/pcap.c:59 #5 0x1ad29702 in ReceivePcapLoop (tv=0x7ad63f80, data=0x833c7500, slot=0x7fde6a00) at source-pcap.c:316 #6 0x1ad51f73 in TmThreadsSlotPktAcqLoop (td=0x7ad63f80) at tm-threads.c:336 #7 0x0f00580e in _rthread_start (v=0x7ad19e00) at /usr/src/lib/librthread/rthread.c:145 #8 0x0d2c2b06 in __tfork_thread () at /usr/src/lib/libc/arch/i386/sys/tfork_thread.S:95 (gdb) up #1 0x1ac0ea3a in PacketCopyData (p=0x7b376550, pktdata=0x7b97336f "", pktlen=-83919010) at decode.c:229 229 memcpy(p->ext_pkt + offset, data, datalen); (gdb) print *p $3 = {src = {family = 0 '\0', address = {address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\0' <repeats 15 times>}}, dst = {family = 0 '\0', address = { address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\0' <repeats 15 times>}}, {sp = 0, type = 0 '\0'}, {dp = 0, code = 0 '\0'}, proto = 0 '\0', recursion_level = 0 '\0', vlan_id = {0, 0}, vlan_idx = 0 '\0', flowflags = 0 '\0', flags = 0, flow = 0x0, ts = {tv_sec = 528, tv_usec = 65554}, {pcap_v = {tenant_id = 0}}, ReleasePacket = 0x1ad4b070 <PacketPoolReturnPacket>, pktvar = 0x0, ethh = 0x0, level3_comp_csum = -1, level4_comp_csum = -1, ip4h = 0x0, ip6h = 0x0, {ip4vars = { comp_csum = 0, ip_src_u32 = 0, ip_dst_u32 = 0, ip_opts = {{type = 0 '\0', len = 0 '\0', data = 0x7b376a2c ""}, {type = 0 '\0', len = 0 '\0', data = 0x0} <repeats 39 times>}, ip_opt_cnt = 0 '\0', o_rr = 0x0, o_qs = 0x0, o_ts = 0x0, o_sec = 0x0, o_lsrr = 0x0, o_cipso = 0x0, o_sid = 0x0, o_ssrr = 0x0, o_rtralt = 0x0}, {ip6vars = {ip_opts_len = 0 '\0', l4proto = 0 '\0'}, ip6eh = { ip6fh = 0x0, fh_offset = 0, ip6rh = 0x0, ip6ah = 0x7b376a2c, ip6eh = 0x0, ip6dh1 = 0x0, ip6dh2 = 0x0, ip6hh = 0x0, ip6hh_opt_hao = {ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = { __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6hh_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6hh_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh1_opt_hao = { ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = { __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh1_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh1_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh2_opt_hao = { ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = { __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh2_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh2_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6_exthdrs = {{type = 0 '\0', next = 0 '\0', len = 0 '\0', data = 0x0} <repeats 40 times>}, ip6_exthdrs_cnt = 0 '\0'}}}, {tcpvars = {tcp_opt_cnt = 0 '\0', tcp_opts = {{ type = 8 '\b', len = 10 '\n', data = 0x7b376a42 ""}, {type = 4 '\004', len = 2 '\002', data = 0x7b376a44 ""}, {type = 8 '\b', len = 10 '\n', data = 0x7b376a46 ""}, {type = 3 '\003', len = 3 '\003', data = 0x7b376a51 ""}, { type = 0 '\0', len = 0 '\0', data = 0x0} <repeats 16 times>}, ts = 0x0, sack = 0x0, sackok = 0x0, ws = 0x0, mss = 0x0}, udpvars = {<No data fields>}, icmpv4vars = {id = 0, seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv4h = 0x204, emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv4h = 0x7b376a46, emb_ip4_src = { s_addr = 771}, emb_ip4_dst = {s_addr = 2067229265}, emb_ip4_hlen = 0 '\0', emb_ip4_proto = 0 '\0', emb_sport = 0, emb_dport = 0}, icmpv6vars = {id = 0, seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv6h = 0x204, emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv6h = 0x7b376a46, emb_ip6_src = { 771, 2067229265, 0, 0}, emb_ip6_dst = {0, 0, 0, 0}, emb_ip6_proto_next = 0 '\0', emb_sport = 0, emb_dport = 0}}, tcph = 0x0, udph = 0x0, sctph = 0x0, icmpv4h = 0x0, icmpv6h = 0x0, ppph = 0x0, pppoesh = 0x0, pppoedh = 0x0, greh = 0x0, vlanh = {0x0, 0x0}, payload = 0x0, payload_len = 0, action = 0 '\0', pkt_src = 1 '\001', pktlen = 4211048286, ext_pkt = 0x0, livedev = 0x8398bd80, alerts = {cnt = 0, alerts = {{ num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, { num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, { num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0} <repeats 13 times>}, drop = {num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0}}, host_src = 0x0, host_dst = 0x0, pcap_cnt = 0, events = {cnt = 0 '\0', events = "\210w", '\0' <repeats 12 times>}, app_layer_events = 0x0, next = 0x0, prev = 0x0, datalink = 1, debuglog_flowbits_names_len = 0, debuglog_flowbits_names = 0x0, root = 0x0, tunnel_mutex = 0x877d14c0, tunnel_rtv_cnt = 0, tunnel_tpr_cnt = 0, tenant_id = 0, pool = 0x7acd8600} (gdb) print pktlen $4 = -83919010 (gdb) print pktdata $5 = (uint8_t *) 0x7b97336f "" (gdb) print *pktdata $6 = 0 '\0' (gdb) up #2 0x1ad292de in PcapCallbackLoop (user=0x833c7500 "", h=0x7b96c7f0, pkt=0x7b97336f "") at source-pcap.c:253 253 if (unlikely(PacketCopyData(p, pkt, h->caplen))) { (gdb) print *p $7 = {src = {family = 0 '\0', address = {address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\0' <repeats 15 times>}}, dst = {family = 0 '\0', address = { address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, address_un_data8 = '\0' <repeats 15 times>}}, {sp = 0, type = 0 '\0'}, {dp = 0, code = 0 '\0'}, proto = 0 '\0', recursion_level = 0 '\0', vlan_id = {0, 0}, vlan_idx = 0 '\0', flowflags = 0 '\0', flags = 0, flow = 0x0, ts = {tv_sec = 528, tv_usec = 65554}, {pcap_v = {tenant_id = 0}}, ReleasePacket = 0x1ad4b070 <PacketPoolReturnPacket>, pktvar = 0x0, ethh = 0x0, level3_comp_csum = -1, level4_comp_csum = -1, ip4h = 0x0, ip6h = 0x0, {ip4vars = { comp_csum = 0, ip_src_u32 = 0, ip_dst_u32 = 0, ip_opts = {{type = 0 '\0', len = 0 '\0', data = 0x7b376a2c ""}, {type = 0 '\0', len = 0 '\0', data = 0x0} <repeats 39 times>}, ip_opt_cnt = 0 '\0', o_rr = 0x0, o_qs = 0x0, o_ts = 0x0, o_sec = 0x0, o_lsrr = 0x0, o_cipso = 0x0, o_sid = 0x0, o_ssrr = 0x0, o_rtralt = 0x0}, {ip6vars = {ip_opts_len = 0 '\0', l4proto = 0 '\0'}, ip6eh = { ip6fh = 0x0, fh_offset = 0, ip6rh = 0x0, ip6ah = 0x7b376a2c, ip6eh = 0x0, ip6dh1 = 0x0, ip6dh2 = 0x0, ip6hh = 0x0, ip6hh_opt_hao = {ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = { __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6hh_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6hh_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh1_opt_hao = { ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = { __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh1_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh1_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh2_opt_hao = { ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = { __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh2_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh2_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6_exthdrs = {{type = 0 '\0', next = 0 '\0', len = 0 '\0', data = 0x0} <repeats 40 times>}, ip6_exthdrs_cnt = 0 '\0'}}}, {tcpvars = {tcp_opt_cnt = 0 '\0', tcp_opts = {{ type = 8 '\b', len = 10 '\n', data = 0x7b376a42 ""}, {type = 4 '\004', len = 2 '\002', data = 0x7b376a44 ""}, {type = 8 '\b', len = 10 '\n', data = 0x7b376a46 ""}, {type = 3 '\003', len = 3 '\003', data = 0x7b376a51 ""}, { type = 0 '\0', len = 0 '\0', data = 0x0} <repeats 16 times>}, ts = 0x0, sack = 0x0, sackok = 0x0, ws = 0x0, mss = 0x0}, udpvars = {<No data fields>}, icmpv4vars = {id = 0, seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv4h = 0x204, emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv4h = 0x7b376a46, emb_ip4_src = { s_addr = 771}, emb_ip4_dst = {s_addr = 2067229265}, emb_ip4_hlen = 0 '\0', emb_ip4_proto = 0 '\0', emb_sport = 0, emb_dport = 0}, icmpv6vars = {id = 0, seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv6h = 0x204, emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv6h = 0x7b376a46, emb_ip6_src = { 771, 2067229265, 0, 0}, emb_ip6_dst = {0, 0, 0, 0}, emb_ip6_proto_next = 0 '\0', emb_sport = 0, emb_dport = 0}}, tcph = 0x0, udph = 0x0, sctph = 0x0, icmpv4h = 0x0, icmpv6h = 0x0, ppph = 0x0, pppoesh = 0x0, pppoedh = 0x0, greh = 0x0, vlanh = {0x0, 0x0}, payload = 0x0, payload_len = 0, action = 0 '\0', pkt_src = 1 '\001', pktlen = 4211048286, ext_pkt = 0x0, livedev = 0x8398bd80, alerts = {cnt = 0, alerts = {{ num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, { num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, { num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0} <repeats 13 times>}, drop = {num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0}}, host_src = 0x0, host_dst = 0x0, pcap_cnt = 0, events = {cnt = 0 '\0', events = "\210w", '\0' <repeats 12 times>}, app_layer_events = 0x0, next = 0x0, prev = 0x0, datalink = 1, debuglog_flowbits_names_len = 0, debuglog_flowbits_names = 0x0, root = 0x0, tunnel_mutex = 0x877d14c0, tunnel_rtv_cnt = 0, tunnel_tpr_cnt = 0, tenant_id = 0, pool = 0x7acd8600} (gdb) up #3 0x0190928d in pcap_read (p=0x8b64ae00, cnt=64, callback=0x1ad29220 <PcapCallbackLoop>, user=0x833c7500 "") at /usr/src/lib/libpcap/pcap-bpf.c:188 188 (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen); (gdb) print *bp $8 = 16 '\020' (gdb) (gdb) print hdrlen $9 = 27519 (gdb) print user $10 = (u_char *) 0x833c7500 "" (gdb) print *user $11 = 0 '\0' (gdb) up #4 0x01907b9d in pcap_dispatch (p=0x8b64ae00, cnt=64, callback=0x1ad29220 <PcapCallbackLoop>, user=0x833c7500 "") at /usr/src/lib/libpcap/pcap.c:59 59 return (pcap_read(p, cnt, callback, user)); (gdb) print *p $12 = {fd = 9, snapshot = 1516, linktype = 1, tzoff = 0, offset = 0, activated = 1, oldstyle = 0, break_loop = 0, sf = {rfile = 0x0, swapped = 0, version_major = 0, version_minor = 0, base = 0x0}, md = {stat = {ps_recv = 0, ps_drop = 0, ps_ifdrop = 0}, use_bpf = 0, TotPkts = 0, TotAccepted = 0, TotDrops = 0, TotMissed = 0, OrigMissed = 0, timeout = 500, must_do_on_close = 0, next = 0x0}, opt = {buffer_size = 0, source = 0x7be25610 "em0", promisc = 1, rfmon = 0}, bufsize = 32768, buffer = 0x7b966000 "+{?Usk\b", bp = 0x7b96b384 "\004\016", cc = 0, pkt = 0x0, fcode = {bf_len = 0, bf_insns = 0x0}, dlt_count = 1, dlt_list = 0x80f150e0, errbuf = '\0' <repeats 255 times>, pcap_header = {ts = {tv_sec = 0, tv_usec = 0}, caplen = 0, len = 0}} </pre>