Bug #205
closedSegv inside of DetectHttpMethodMatch() when processing the attached rule/pcap.
Description
Setting priority as high, currently all fuzzers blow up here...
ulimit -c unlimited; src/suricata -c suricata.yaml -r iCTF200725.httpparseerror.pcap -l ./ -s blah.rules
#0 0x0000000000480e78 in DetectHttpMethodMatch (t=0x19924e0, det_ctx=0x7fa774000fe0, f=0x167aea0, flags=64 '', state=0x7fa77400a3d0, s=0x1c6d710, sm=0x1c6dd90) at detect-http-method.c:107
', state=0x7fa77400a3d0, s=0x1c6d710, sm=0x1c6dd90) at detect-http-method.c:107
107 idx < list_size(hs->connp->conn->transactions); idx++)
(gdb) bt full
#0 0x0000000000480e78 in DetectHttpMethodMatch (t=0x19924e0, det_ctx=0x7fa774000fe0, f=0x167aea0, flags=64 '
idx = 0
data = 0x1c6e2e0
hs = 0x7fa77400a3d0
tx = 0x0
ret = 0
#1 0x000000000044df27 in DeStateDetectStartDetection (tv=0x19924e0, de_ctx=0x19882a0, det_ctx=0x7fa774000fe0, s=0x1c6d710, f=0x167aea0, flags=64 '', alstate=0x7fa77400a3d0, alproto=1) at detect-engine-state.c:348
'
sm = 0x1c6dd90
match = 0
r = 0
umatch = 0 '\000'
uinspect = 0 '\000'
dmatch = 0 '\000'
dinspect = 0 '\000'
appinspect = 0 '\000'
appmatch = 0 '\000'
#2 0x0000000000427e6c in SigMatchSignatures (th_v=0x19924e0, de_ctx=0x19882a0, det_ctx=0x7fa774000fe0, p=0x12cd170) at detect.c:939
match = 0
fmatch = 0
s = 0x1c6d710
sm = 0x0
idx = 0
alproto = 1
alstate = 0x7fa77400a3d0
flags = 64 '
cnt = 0
sgh = 0x0
use_flow_sgh = 0 '\000'
smsg = 0x0
no_store_flow_sgh = 0 '\000'
de_state_start = 1 '\001'
#3 0x0000000000428480 in Detect (tv=0x19924e0, p=0x12cd170, data=0x7fa774000fe0, pq=0x19925f0, postpq=0x1992668) at detect.c:1125
det_ctx = 0x7fa774000fe0
de_ctx = 0x19882a0
r = 0
#4 0x00000000004b6784 in TmThreadsSlot1 (td=0x19924e0) at tm-threads.c:371
tv = 0x19924e0
s = 0x19925c0
p = 0x12cd170
run = 1 '\001'
r = TM_ECODE_OK
#5 0x00007fa7860099ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
res = <value optimized out>
pd = 0x7fa782c92710
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140357430486800, -5705563091241878573, 0, 0, 0, 0, 5737235229168548819, 5737243531514264531}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
freesize = <value optimized out>
__PRETTY_FUNCTION = "start_thread"
#6 0x00007fa7859186fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#7 0x0000000000000000 in ?? ()
No symbol table info available.
Files
Updated by Victor Julien over 14 years ago
- Assignee changed from OISF Dev to Pablo Rincon
Updated by Victor Julien over 14 years ago
It appears that due to recent stream reassembly changes, in this pcap the toclient part of the stream is processed first, causing an error in the htp module. This leaves in the HtpState without a connp. The Http Method match function doesn't check this. Adding such a check won't hurt, but it's not the solution. We need to make sure the toclient part of the stream is not processed first.
Attached a new pcap with just one stream.
Updated by Victor Julien over 14 years ago
In stream-tcp-reassembly.c, StreamTcpReassembleHandleSegmentUpdateACK I added some code to force reassembly if the protocol isn't (yet) detected, but the session is shutting down already. I think we can solve the issue here by making sure that we do this in the to_server direction first.
So maybe adding a flag to the tcp session to indicate toserver traffic has been reassembled, and checking for that before we force the reassembly, will likely resolve this issue.
Updated by Victor Julien over 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Issue fixed in current master, commit 4c94a27b71e1aeefa1dc8b017d96f9082e4cd550.
Thanks Pablo!