Bug #2437
closedrust/dns: Core Dump with malformed traffic
Description
Experiencing a panic with malformed DNS traffic. Here's the relevant trace data. Looking at dns.rs, nothing really jumps out at me that seems like it'd cause a panic here.
I'll keep digging and see if I can come up with anything further.
#10 0x000000000070d637 in core::panicking::panic () at /checkout/src/libcore/panicking.rs:51
No locals.
#11 0x00000000006028ff in suricata::dns::dns::{{impl}}::set_event (self=0x7fb97edc9ec0, event=MalformedData) at src/dns/dns.rs:358
tx = 0x7fb97c9ada98
len = 2
self = 0x7fb97edc9ec0
event = MalformedData
#12 0x000000000060383b in suricata::dns::dns::{{impl}}::parse_response (self=0x7fb97edc9ec0, input=...) at src/dns/dns.rs:421
response = {header = {tx_id = 55792, flags = 31898, questions = 32697, answer_rr = 0, authority_rr = 56128, additional_rr = 31898}, queries = {buf = {ptr = {pointer = {__0 = 0x2}, _marker = {<No data fields>}}, cap = 140434636200768, a = {<No data fields>}},
len = 140434810584624}, answers = {buf = {ptr = {pointer = {__0 = 0x6010bd <core::slice::{{impl}}::iter_mut<suricata::dns::dns::DNSTransaction>+269>}, _marker = {<No data fields>}}, cap = 140434810584736, a = {<No data fields>}}, len = 6630918}, authorities = {
buf = {ptr = {pointer = {__0 = 0x2}, _marker = {<No data fields>}}, cap = 140434636200432, a = {<No data fields>}}, len = 140434636200432}}
self = 0x7fb97edc9ec0
input = {data_ptr = 0x7fb9fc0217b6 "\230A\250\a", length = 512}
#13 0x000000000060496c in suricata::dns::dns::rs_dns_parse_response (_flow=0x7fb76d3ecfe0, state=0x7fb97edc9ec0, _pstate=0x7fb97da33990, input=0x7fb9fc0217b6 "\230A\250\a", input_len=512, _data=0x0) at src/dns/dns.rs:613
buf = {data_ptr = 0x7fb9fc0217b6 "\230A\250\a", length = 512}
_flow = 0x7fb76d3ecfe0
state = 0x7fb97edc9ec0
_data = 0x0
_pstate = 0x7fb97da33990
input = 0x7fb9fc0217b6 "\230A\250\a"
input_len = 512
Updated by Jason Ish over 6 years ago
Do you have a pcap that demonstrates this?
Thanks.
Updated by Nick Price over 6 years ago
Haven't been able to get one thus far because I only have a four-hour window and this happened overnight, but I'm going to keep my eye on it and try to pull pcaps if I see it fall over again.
Updated by Jason Ish over 6 years ago
Did you get a panic message? Something like:
thread '<unnamed>' panicked at 'attempt to add with overflow', src/dns/dns.rs:358:9
An overflow is the only case I can think of that would cause a panic at this line.
Updated by Jason Ish over 6 years ago
Nick, after some further thought, you must be seeing a lot of malformed DNS traffic as its hitting 65k per DNS state. If you are able to, even if privately, I'm wondering if you could share a sample of your DNS traffic for testing. Maybe its not corrupt and just been decoded as corrupt. Or it could actually be corrupt, or something thats not DNS, but looks close enough to trigger the parser.
Updated by Jason Ish over 6 years ago
- Status changed from New to Assigned
- Assignee set to Jason Ish
Updated by Victor Julien over 6 years ago
- Description updated (diff)
- Target version set to 4.1beta1
Updated by Victor Julien over 6 years ago
- Subject changed from Core Dump with malformed DNS traffic to rust/dns: Core Dump with malformed traffic
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed