Bug #2288
closed
Suricata segfaults on ICMP and flowint check
Added by Edward Fjellskål almost 7 years ago.
Updated almost 7 years ago.
Description
Using only this rule on Suricata v3.2.3, v4.0.0 and v4.0.1 :
alert icmp any any -> any any (msg:"Dump Core!"; flowint:segfault,isset; classtype:trojan-activity; sid:31337; rev:1337;)
Parsing a pcap with icmp traffic makes suricata segfault:
suricata: line 10: 28912 Segmentation fault (core dumped) $BIN $OPTS -c $CONF -r $1
Compiled:
$ ./configure --prefix=/somepath/ --enable-profiling --enable-lua
Running:
$ ./path/to/suricata -c suricata.yaml -r icmp.pcap
ASAN:SIGSEGV
=================================================================
==62358==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000c0 (pc 0x000000d74332 bp 0x7fe23f1e0ba0 sp 0x7fe23f1e0b80 T1)
#0 0xd74331 in FlowVarGet /home/victor/devel/eidps/src/flow-var.c:77
#1 0xb5a0c0 in DetectFlowintMatch /home/victor/devel/eidps/src/detect-flowint.c:128
#2 0x80078a in SigMatchSignatures /home/victor/devel/eidps/src/detect.c:1329
#3 0x801f4c in DetectNoFlow /home/victor/devel/eidps/src/detect.c:1524
#4 0x8028d2 in Detect /home/victor/devel/eidps/src/detect.c:1584
#5 0xd7876b in FlowWorker /home/victor/devel/eidps/src/flow-worker.c:257
#6 0x108c18a in TmThreadsSlotVarRun /home/victor/devel/eidps/src/tm-threads.c:130
#7 0xef78c8 in TmThreadsSlotProcessPkt /home/victor/devel/eidps/src/tm-threads.h:147
#8 0xef89c3 in PcapFileCallbackLoop /home/victor/devel/eidps/src/source-pcap-file.c:178
#9 0x7fe24634fac3 (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1eac3)
#10 0xef914a in ReceivePcapFileLoop /home/victor/devel/eidps/src/source-pcap-file.c:211
#11 0x108df10 in TmThreadsSlotPktAcqLoop /home/victor/devel/eidps/src/tm-threads.c:334
#12 0x7fe2458e76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#13 0x7fe2449e73dc in clone (/lib/x86_64-linux-gnu/libc.so.6+0x1073dc)
- Target version set to TBD
- Status changed from New to Assigned
- Target version changed from TBD to 4.1beta1
- Status changed from Assigned to Closed
Also available in: Atom
PDF