Bug #21
closedSegv when trying processing rule with http_cookie modifier but no cookie header present in packet.
Description
Using the following rule the engine segvs when processing the attached pcap when no cookie header is present in the packet.
Rule:
alert tcp $EXTERNAL_NET any -> 10.1.60.187 $HTTP_PORTS (msg:"test cookie parse"; uricontent:"/blah"; nocase; content:"blah="; nocase; http_cookie; sid:1; rev:1;)
Request:
GET / HTTP/1.0
User-Agent: check_http/v2053 (nagios-plugins 1.4.13)
Connection: close
Host: www.usma.bluenet
HTTP/1.1 302 Found
Date: Mon, 20 Apr 2009 11:29:31 GMT
Server: Apache
Location: https://www.usma.bluenet/
Content-Length: 209
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.usma.bluenet/">here</a>.</p>
</body></html>
Backtrace:
#0 0x00000000004474e6 in DetectHttpCookieMatch (t=0x2cb4040, det_ctx=0x2cb48e0, f=0x2a63ae0, flags=4 '\004', state=0x5489e70, s=0x2ec2e90, m=0x2ec51c0) at detect-http-cookie.c:90
90 if (BinSearch(bstr_ptr(h->value), bstr_size(h->value), co->data,
(gdb) bt full
#0 0x00000000004474e6 in DetectHttpCookieMatch (t=0x2cb4040, det_ctx=0x2cb48e0, f=0x2a63ae0, flags=4 '\004', state=0x5489e70, s=0x2ec2e90, m=0x2ec51c0) at detect-http-cookie.c:90
co = 0x2ec52f0
htp_state = 0x5489e70
ret = 0
tx = 0x5492ed0
h = 0x0
#1 0x000000000041991e in SigMatchSignaturesAppLayer (th_v=0x2cb4040, de_ctx=0x2c868e0, det_ctx=0x2cb48e0, sgh=0x3002b00, p=0x26116b0) at detect.c:527
match = 1
fmatch = 0
s = 0x2ec2e90
sm = 0x2ec51c0
idx = 4
sig = 4
flags = 4 '\004'
alstate = 0x5489e70
#2 0x000000000041a2b3 in SigMatchSignatures (th_v=0x2cb4040, de_ctx=0x2c868e0, det_ctx=0x2cb48e0, p=0x26116b0) at detect.c:786
match = 0
fmatch = 0
s = 0x2ec2e90
sm = 0x0
idx = 5
sig = 4
#3 0x000000000041a35a in Detect (tv=0x2cb4040, p=0x26116b0, data=0x2cb48e0, pq=0x2cb4140) at detect.c:823
det_ctx = 0x2cb48e0
de_ctx = 0x2c868e0
r = 0
#4 0x0000000000468417 in TmThreadsSlot1 (td=0x2cb4040) at tm-threads.c:325
tv = 0x2cb4040
s = 0x2cb4110
p = 0x26116b0
run = 1 '\001'
r = TM_ECODE_OK
#5 0x00007fb56dfaca04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fb56bacb910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140417172289808, -9120112120825613096, 140734225592752, 0, 0, 3, 9080397050194195672, 9080384591862199512}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#6 0x00007fb56d8c77bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#7 0x0000000000000000 in ?? ()
No symbol table info available.
Files
Updated by Gurvinder Singh about 15 years ago
- File 0001-bug-21-fixing-patch.patch 0001-bug-21-fixing-patch.patch added
- Status changed from New to Resolved
- Assignee changed from OISF Dev to Gurvinder Singh
- Estimated time changed from 2.50 h to 1.00 h
The bug was caused as in BinSearch the given value was NULL, due to absence of Cookie header in the message. The code has been updated and a unit test has been added to test this condition.
Updated by Victor Julien almost 15 years ago
- Status changed from Resolved to Closed