Project

General

Profile

Actions

Bug #2274

closed

ParseSizeString in util-misc.c: Null-pointer dereference

Added by Wolfgang Hotwagner almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If someone accidently writes invalid characters in some parts of the suricata.yaml-configfile, the size-parameter of the ParseSizeString-function becomes NULL and gets dereferenced. Suricata crashes with SEGV. Here is an example:

The following config value leads to a Segfault:
app-layer.protocols.smtp.inspected-tracker.content-inspect-window: *4096

This is the ASAN-Output:

ASAN:DEADLYSIGNAL
=================================================================
==16376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff391ea3646 bp 0x7ffd38ec1300 sp 0x7ffd38ec0a88 T0)
    #0 0x7ff391ea3645 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80645)
    #1 0x7ff3956baeec  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3beec)
    #2 0x5563ffcb566c in ParseSizeString /root/suricata-1/src/util-misc.c:78
    #3 0x5563ffcb6671 in ParseSizeStringU32 /root/suricata-1/src/util-misc.c:179
    #4 0x5563ff8c0d14 in SMTPConfigure /root/suricata-1/src/app-layer-smtp.c:316
    #5 0x5563ff8cde4b in RegisterSMTPParsers /root/suricata-1/src/app-layer-smtp.c:1687
    #6 0x5563ff8b26b7 in AppLayerParserRegisterProtocolParsers /root/suricata-1/src/app-layer-parser.c:1381
    #7 0x5563ff7f5dac in AppLayerSetup /root/suricata-1/src/app-layer.c:750
    #8 0x5563ffc2ca23 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2626
    #9 0x5563ffc2e4f2 in main /root/suricata-1/src/suricata.c:2892
    #10 0x7ff391e432b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #11 0x5563ff7d2d39 in _start (/usr/local/bin/suricata+0xc7d39)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x80645) in strlen
==16376==ABORTING

Actions

Also available in: Atom PDF