Project

General

Profile

Actions

Bug #21

closed

Segv when trying processing rule with http_cookie modifier but no cookie header present in packet.

Added by Will Metcalf about 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using the following rule the engine segvs when processing the attached pcap when no cookie header is present in the packet.

Rule:
alert tcp $EXTERNAL_NET any -> 10.1.60.187 $HTTP_PORTS (msg:"test cookie parse"; uricontent:"/blah"; nocase; content:"blah="; nocase; http_cookie; sid:1; rev:1;)

Request:
GET / HTTP/1.0

User-Agent: check_http/v2053 (nagios-plugins 1.4.13)

Connection: close

Host: www.usma.bluenet

HTTP/1.1 302 Found

Date: Mon, 20 Apr 2009 11:29:31 GMT

Server: Apache

Location: https://www.usma.bluenet/

Content-Length: 209

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.usma.bluenet/&quot;&gt;here&lt;/a&gt;.&lt;/p>
</body></html>

Backtrace:
#0 0x00000000004474e6 in DetectHttpCookieMatch (t=0x2cb4040, det_ctx=0x2cb48e0, f=0x2a63ae0, flags=4 '\004', state=0x5489e70, s=0x2ec2e90, m=0x2ec51c0) at detect-http-cookie.c:90
90 if (BinSearch(bstr_ptr(h->value), bstr_size(h->value), co->data,
(gdb) bt full
#0 0x00000000004474e6 in DetectHttpCookieMatch (t=0x2cb4040, det_ctx=0x2cb48e0, f=0x2a63ae0, flags=4 '\004', state=0x5489e70, s=0x2ec2e90, m=0x2ec51c0) at detect-http-cookie.c:90
co = 0x2ec52f0
htp_state = 0x5489e70
ret = 0
tx = 0x5492ed0
h = 0x0
#1 0x000000000041991e in SigMatchSignaturesAppLayer (th_v=0x2cb4040, de_ctx=0x2c868e0, det_ctx=0x2cb48e0, sgh=0x3002b00, p=0x26116b0) at detect.c:527
match = 1
fmatch = 0
s = 0x2ec2e90
sm = 0x2ec51c0
idx = 4
sig = 4
flags = 4 '\004'
alstate = 0x5489e70
#2 0x000000000041a2b3 in SigMatchSignatures (th_v=0x2cb4040, de_ctx=0x2c868e0, det_ctx=0x2cb48e0, p=0x26116b0) at detect.c:786
match = 0
fmatch = 0
s = 0x2ec2e90
sm = 0x0
idx = 5
sig = 4
#3 0x000000000041a35a in Detect (tv=0x2cb4040, p=0x26116b0, data=0x2cb48e0, pq=0x2cb4140) at detect.c:823
det_ctx = 0x2cb48e0
de_ctx = 0x2c868e0
r = 0
#4 0x0000000000468417 in TmThreadsSlot1 (td=0x2cb4040) at tm-threads.c:325
tv = 0x2cb4040
s = 0x2cb4110
p = 0x26116b0
run = 1 '\001'
r = TM_ECODE_OK
#5 0x00007fb56dfaca04 in start_thread (arg=<value optimized out>) at pthread_create.c:300
__res = <value optimized out>
pd = 0x7fb56bacb910
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140417172289808, -9120112120825613096, 140734225592752, 0, 0, 3, 9080397050194195672, 9080384591862199512}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
#6 0x00007fb56d8c77bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#7 0x0000000000000000 in ?? ()
No symbol table info available.


Files

itoc-http-nocookie.pcap (1.35 KB) itoc-http-nocookie.pcap http session from ITOC pcap no cookie Will Metcalf, 12/24/2009 03:29 PM
0001-bug-21-fixing-patch.patch (3.9 KB) 0001-bug-21-fixing-patch.patch Gurvinder Singh, 12/24/2009 08:00 PM
Actions

Also available in: Atom PDF