Bug #2498: Lua file output script causes a segfault when protocol is not HTTP - Suricata - Open Information Security Foundation

Bug #2498

Updated by Victor Julien almost 6 years ago

When Suricata is configured with a Lua output script that calls SCFileInfo(), any file that is transferred over any protocol other than HTTP causes Suricata to segfault. This is due to the fact that in output-lua.c/LuaFileLogger() around line 326, HTTP is the hard-coded protocol for a call to AppLayerParserGetTx(). This in turn triggers a non-existent index into htp_list_array_get() when the tx hasn't passed through libhtp - due to it being non-HTTP traffic. 

 <pre> ----- 
 (gdb) bt 
 #0    0x00000371ad6d9a22 in htp_list_array_get (l=0x3719472da30, idx=<optimized out>) at htp_list.c:92 
 #1    0x0000000000482f02 in AppLayerParserGetTx (ipproto=<optimized out>, alproto=alproto@entry=1, alstate=alstate@entry=0x3719478aa80, tx_id=0) at app-layer-parser.c:979 
 #2    0x0000000000609b2d in LuaFileLogger (tv=0x7563590, thread_data=0x37194715a10, p=0x371944d8170, ff=0x3719482e330) at output-lua.c:326 
 #3    0x00000000005e3475 in OutputFileLogFfc (tv=tv@entry=0x7563590, op_thread_data=op_thread_data@entry=0x37194705990, p=p@entry=0x371944d8170, ffc=ffc@entry=0x37194798ea0, file_close=file_close@entry=false, 
     file_trunc=file_trunc@entry=false) at output-file.c:130 
 #4    0x00000000005e3929 in OutputFileLog (tv=0x7563590, p=0x371944d8170, thread_data=0x37194705990) at output-file.c:179 
 #5    0x00000000005e247d in OutputLoggerLog (tv=tv@entry=0x7563590, p=p@entry=0x371944d8170, thread_data=<optimized out>) at output.c:917 
 #6    0x00000000005be547 in FlowWorker (tv=0x7563590, p=0x371944d8170, data=0x371944fea60, preq=0x689f070, unused=<optimized out>) at flow-worker.c:263 
 #7    0x00000000006b25bb in TmThreadsSlotVarRun (tv=tv@entry=0x7563590, p=p@entry=0x371944d8170, slot=slot@entry=0x431b140) at tm-threads.c:145 
 #8    0x0000000000634e1e in TmThreadsSlotProcessPkt (p=0x371944d8170, s=0x431b140, tv=0x7563590) at tm-threads.h:147 
 #9    AFPReadFromRing (ptv=0x371944d8b20) at source-af-packet.c:1011 
 #10 0x0000000000636845 in ReceiveAFPLoop (tv=0x7563590, data=0x371944d8b20, slot=<optimized out>) at source-af-packet.c:1559 
 #11 0x00000000006b3b3c in TmThreadsSlotPktAcqLoop (td=0x7563590) at tm-threads.c:348 
 #12 0x00000371ac1ec637 in start_thread () from /lib64/libpthread.so.0 
 #13 0x00000371a9386e8f in clone () from /lib64/libc.so.6 
 </pre> ----- 

 Steps to reproduce: 
 1. Build a (skeleton) Lua output script containing an SCFileInfo() call in log() 
 2. Enable it 
 3. Transfer a file over any protocol other than HTTP, i.e. ftp://ftp.cisco.com/pub/mibs/README-MIB.txt 

 Thanks, 
  Elazar

Back

Project

General

Profile

Suricata

Bug #2498