Project

General

Profile

Actions
Copy link

Bug #1930

closed

Segfault when event rule is invalid

Added by Pierre Chifflier about 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Pierre Chifflier
Target version:
4.0rc1
Affected Versions:
Effort:
Difficulty:
Label:

Description

With current git (7e54ee7d0e7dac51c7436724961fdba78af85561) + my patches, I see a segfault when starting suricata, if a rules files contains an event rule with the wrong event name.
For ex, the following rule

alert rust any any -> any any (msg:"Rust TLS record overflow"; flow:established; app-layer-event:rust.record_overfow; flowint:rust.anomaly.count,+,1; classtype:protocol-command-decode; sid:123461; rev:1;)

(note the typo on overflow)

Causes the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000003a730fcfcb7 in ?? ()
(gdb) bt
#0  0x000003a730fcfcb7 in ?? ()
#1  0x0000000000555a44 in SCMapEnumNameToValue (enum_name=enum_name@entry=0x4ec70a5 "record_overfow", 
    table=0x7f1000 <_rcfg>, table@entry=0x7f0fa0 <rust_decoder_event_table>) at util-enum.c:50
#2  0x000000000043253d in RustStateGetEventInfo (event_name=0x4ec70a5 "record_overfow", event_id=0x3c5e77f77fc, 
    event_type=0x3c5e77f807c) at app-layer-rust.c:176
#3  0x000000000045248e in DetectAppLayerEventParseAppP2 (data=0x4ec7080, 
    ipproto_bitarray=ipproto_bitarray@entry=0x4ec6a92 "@", event_type=event_type@entry=0x3c5e77f807c)
    at detect-app-layer-event.c:211
#4  0x000000000045274e in DetectAppLayerEventSetupP2 (sm=0x4ec70c0, s=0x4ec6a80) at detect-app-layer-event.c:284
#5  DetectAppLayerEventPrepare (s=s@entry=0x4ec6a80) at detect-app-layer-event.c:366
...

If I fix the typo, or remove the rule, no problem.

Actions
Copy link
 #1

Updated by Victor Julien about 8 years ago

Can reproduce this in master? So w/o your patches? I tried it with a http event and it didn't crash or lead to memory issues.

Actions
Copy link
 #2

Updated by Pierre Chifflier about 8 years ago

Ok, I had some time to re-run the test under a debugger.
The issue itself is pretty simple: the event table is not NULL-terminated, which explains the segfault.

There is something that could be fixed though: this comes directly from the template app-layer, which isn't NULL-terminated.

I sent a pull-request (2374) with a trivial fix.

Actions
Copy link
 #3

Updated by Andreas Herz about 8 years ago

  • Assignee set to Pierre Chifflier
  • Target version set to 70

Please put a link to the PR in the future :) thanks

https://github.com/inliniac/suricata/pull/2374

Actions
Copy link
 #4

Updated by Victor Julien over 7 years ago

  • Status changed from New to Closed
  • Target version changed from 70 to 4.0rc1
Actions
Copy link

Also available in: Atom PDF