Project

General

Profile

Bug #2274

Updated by Victor Julien almost 7 years ago

If someone accidently writes invalid characters in some parts of the suricata.yaml-configfile, the size-parameter of the ParseSizeString-function becomes NULL and gets dereferenced. Suricata crashes with SEGV. Here is an example: 

 The following config value leads to a Segfault: 
 app-layer.protocols.smtp.inspected-tracker.content-inspect-window: *4096 

 This is the ASAN-Output: 
 <pre> 
 ASAN:DEADLYSIGNAL 
 ================================================================= 
 ==16376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff391ea3646 bp 0x7ffd38ec1300 sp 0x7ffd38ec0a88 T0) 
     #0 0x7ff391ea3645 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80645) 
     #1 0x7ff3956baeec    (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3beec) 
     #2 0x5563ffcb566c in ParseSizeString /root/suricata-1/src/util-misc.c:78 
     #3 0x5563ffcb6671 in ParseSizeStringU32 /root/suricata-1/src/util-misc.c:179 
     #4 0x5563ff8c0d14 in SMTPConfigure /root/suricata-1/src/app-layer-smtp.c:316 
     #5 0x5563ff8cde4b in RegisterSMTPParsers /root/suricata-1/src/app-layer-smtp.c:1687 
     #6 0x5563ff8b26b7 in AppLayerParserRegisterProtocolParsers /root/suricata-1/src/app-layer-parser.c:1381 
     #7 0x5563ff7f5dac in AppLayerSetup /root/suricata-1/src/app-layer.c:750 
     #8 0x5563ffc2ca23 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2626 
     #9 0x5563ffc2e4f2 in main /root/suricata-1/src/suricata.c:2892 
     #10 0x7ff391e432b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) 
     #11 0x5563ff7d2d39 in _start (/usr/local/bin/suricata+0xc7d39) 

 AddressSanitizer can not provide additional info. 
 SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x80645) in strlen 
 ==16376==ABORTING 
 </pre> 

Back