Actions
Bug #2498
closedLua file output script causes a segfault when protocol is not HTTP
Affected Versions:
Effort:
Difficulty:
Label:
Description
When Suricata is configured with a Lua output script that calls SCFileInfo(), any file that is transferred over any protocol other than HTTP causes Suricata to segfault. This is due to the fact that in output-lua.c/LuaFileLogger() around line 326, HTTP is the hard-coded protocol for a call to AppLayerParserGetTx(). This in turn triggers a non-existent index into htp_list_array_get() when the tx hasn't passed through libhtp - due to it being non-HTTP traffic.
(gdb) bt #0 0x00000371ad6d9a22 in htp_list_array_get (l=0x3719472da30, idx=<optimized out>) at htp_list.c:92 #1 0x0000000000482f02 in AppLayerParserGetTx (ipproto=<optimized out>, alproto=alproto@entry=1, alstate=alstate@entry=0x3719478aa80, tx_id=0) at app-layer-parser.c:979 #2 0x0000000000609b2d in LuaFileLogger (tv=0x7563590, thread_data=0x37194715a10, p=0x371944d8170, ff=0x3719482e330) at output-lua.c:326 #3 0x00000000005e3475 in OutputFileLogFfc (tv=tv@entry=0x7563590, op_thread_data=op_thread_data@entry=0x37194705990, p=p@entry=0x371944d8170, ffc=ffc@entry=0x37194798ea0, file_close=file_close@entry=false, file_trunc=file_trunc@entry=false) at output-file.c:130 #4 0x00000000005e3929 in OutputFileLog (tv=0x7563590, p=0x371944d8170, thread_data=0x37194705990) at output-file.c:179 #5 0x00000000005e247d in OutputLoggerLog (tv=tv@entry=0x7563590, p=p@entry=0x371944d8170, thread_data=<optimized out>) at output.c:917 #6 0x00000000005be547 in FlowWorker (tv=0x7563590, p=0x371944d8170, data=0x371944fea60, preq=0x689f070, unused=<optimized out>) at flow-worker.c:263 #7 0x00000000006b25bb in TmThreadsSlotVarRun (tv=tv@entry=0x7563590, p=p@entry=0x371944d8170, slot=slot@entry=0x431b140) at tm-threads.c:145 #8 0x0000000000634e1e in TmThreadsSlotProcessPkt (p=0x371944d8170, s=0x431b140, tv=0x7563590) at tm-threads.h:147 #9 AFPReadFromRing (ptv=0x371944d8b20) at source-af-packet.c:1011 #10 0x0000000000636845 in ReceiveAFPLoop (tv=0x7563590, data=0x371944d8b20, slot=<optimized out>) at source-af-packet.c:1559 #11 0x00000000006b3b3c in TmThreadsSlotPktAcqLoop (td=0x7563590) at tm-threads.c:348 #12 0x00000371ac1ec637 in start_thread () from /lib64/libpthread.so.0 #13 0x00000371a9386e8f in clone () from /lib64/libc.so.6
Steps to reproduce:
1. Build a (skeleton) Lua output script containing an SCFileInfo() call in log()
2. Enable it
3. Transfer a file over any protocol other than HTTP, i.e. ftp://ftp.cisco.com/pub/mibs/README-MIB.txt
Thanks,
Elazar
Actions