Project

General

Profile

Actions

Bug #2078

closed

http body handling: failed assertion

Added by Jorgen Bohnsdalen almost 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I have a pcap which crashes Suricata (3.2.1 and latest in master). Log files are produced but the process dies - this happens both when running suricata with the -r flag and the pcap and when running in unix socket mode.

I can provide the pcap upon request.

Output from the console:

suricata: detect-engine-hsbd.c:190: DetectEngineHSBDGetBufferForTX: Assertion `!(htud->response_body.content_len_so_far < htud->response_body.body_inspected)' failed.
zsh: abort (core dumped)  suricata -c suricata.yaml -l /tmp/ -r 

Build info:

This is Suricata version 4.0dev (rev 6307890)
Features: DEBUG PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LIBJANSSON TLS MAGIC 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 6.3.1 20161221 (Red Hat 6.3.1-1), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      yes
  hiredis support:                         no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Hyperscan support:                       no
  Libnet support:                          no

  Suricatasc install:                      yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    yes
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /usr/local/etc/suricata/
  Log directory:                           /usr/local/var/log/suricata/

  --prefix                                 /usr/local
  --sysconfdir                             /usr/local/etc
  --localstatedir                          /usr/local/var

  Host:                                    x86_64-unknown-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -march=native
  PCAP_CFLAGS                               
  SECCFLAGS 
Actions #1

Updated by Victor Julien almost 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 70
Actions #2

Updated by Victor Julien over 7 years ago

This happens when the libhtp settings contain:

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 0
           response-body-limit: 0

           # inspection limits
           request-body-minimal-inspect-size: 0
           request-body-inspect-window: 0
           response-body-minimal-inspect-size: 0
           response-body-inspect-window: 0

Actions #3

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 4.0beta1
Actions #4

Updated by Victor Julien over 7 years ago

  • Subject changed from Suricata core dumps after failed assertion to http body handling: failed assertion
Actions

Also available in: Atom PDF