Actions
Bug #1930
closedSegfault when event rule is invalid
Affected Versions:
Effort:
Difficulty:
Label:
Description
With current git (7e54ee7d0e7dac51c7436724961fdba78af85561) + my patches, I see a segfault when starting suricata, if a rules files contains an event rule with the wrong event name.
For ex, the following rule
alert rust any any -> any any (msg:"Rust TLS record overflow"; flow:established; app-layer-event:rust.record_overfow; flowint:rust.anomaly.count,+,1; classtype:protocol-command-decode; sid:123461; rev:1;)
(note the typo on overflow)
Causes the following backtrace:
Program received signal SIGSEGV, Segmentation fault. 0x000003a730fcfcb7 in ?? () (gdb) bt #0 0x000003a730fcfcb7 in ?? () #1 0x0000000000555a44 in SCMapEnumNameToValue (enum_name=enum_name@entry=0x4ec70a5 "record_overfow", table=0x7f1000 <_rcfg>, table@entry=0x7f0fa0 <rust_decoder_event_table>) at util-enum.c:50 #2 0x000000000043253d in RustStateGetEventInfo (event_name=0x4ec70a5 "record_overfow", event_id=0x3c5e77f77fc, event_type=0x3c5e77f807c) at app-layer-rust.c:176 #3 0x000000000045248e in DetectAppLayerEventParseAppP2 (data=0x4ec7080, ipproto_bitarray=ipproto_bitarray@entry=0x4ec6a92 "@", event_type=event_type@entry=0x3c5e77f807c) at detect-app-layer-event.c:211 #4 0x000000000045274e in DetectAppLayerEventSetupP2 (sm=0x4ec70c0, s=0x4ec6a80) at detect-app-layer-event.c:284 #5 DetectAppLayerEventPrepare (s=s@entry=0x4ec6a80) at detect-app-layer-event.c:366 ...
If I fix the typo, or remove the rule, no problem.
Actions