Project

General

Profile

Actions

Bug #3277

closed

segfault when test a nfs pcap file

Added by lei wang about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi, everyone:

When I test a nfs pcap file, it make a segfault. Here's the detail.


It may test nfs with UDP protocol, but why crash in TcpSessionSetReassemblyDepth. This is very strange.

version info:
This is Suricata version 5.0.0 RELEASE
cargo 1.38.0 (23ef9a4ef 2019-08-20)
CentOS Linux release 7.6.1810 (Core)
Pcap file: nfsv2.pcap or https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=nfsv2.pcap.gz

May this report will help you to fix the bug.

Thanks and Regards.


Files

nfsv2.pcap (25.1 KB) nfsv2.pcap lei wang, 10/24/2019 09:34 AM
20191024173220944.jpg (4.47 KB) 20191024173220944.jpg lei wang, 10/24/2019 09:35 AM
20191024173148978.jpg (69.8 KB) 20191024173148978.jpg lei wang, 10/24/2019 09:35 AM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #3278: segfault when test a nfs pcap file (4.1.x)ClosedVictor JulienActions
Actions #1

Updated by Victor Julien about 5 years ago

It crashes while evaluating a rule, do you know which rule? Can you share the filestore rules you use?

Actions #2

Updated by Victor Julien about 5 years ago

  • Target version set to 5.0.1

Ah never mind, I can reproduce it with

alert nfs any any -> any any (msg:"File found within NFS and stored"; filestore; sid:33; rev:1;)

from rules/files.rules.

Actions #3

Updated by Victor Julien about 5 years ago

  • Copied to Bug #3278: segfault when test a nfs pcap file (4.1.x) added
Actions #4

Updated by lei wang about 5 years ago

yes, as same as I test with this simple rule: "alert nfs any any -> any any (msg:"FILE store in NFS"; filestore; sid:3; rev:1;)".

Actions #5

Updated by Victor Julien about 5 years ago

Thanks. I've created a ticket for 4.1.x as well as it has the same issue (if RUST is enabled).

Actions #6

Updated by Victor Julien about 5 years ago

Can you try:

commit fdfc1715adc55f7e710bb6d5426a256c4d56199b (HEAD -> fix/nfs-filestore/v1)
Author: Victor Julien <victor@inliniac.net>
Date:   Thu Oct 24 14:51:48 2019 +0200

    filestore: don't assume flow is TCP

    Filestore can be used by UDP based protocols as well. NFSv2 is one
    that Suricata supports.

    Bug #3277.

diff --git a/src/detect-filestore.c b/src/detect-filestore.c
index a4bdc249d..c2d1340c2 100644
--- a/src/detect-filestore.c
+++ b/src/detect-filestore.c
@@ -209,10 +209,11 @@ static int DetectFilestorePostMatch(DetectEngineThreadCtx *det_ctx,
 #endif
     }

-    /* set filestore depth for stream reassembling */
-    TcpSession *ssn = (TcpSession *)p->flow->protoctx;
-    TcpSessionSetReassemblyDepth(ssn, FileReassemblyDepth());
-
+    if (p->proto == IPPROTO_TCP && p->flow->protoctx != NULL) {
+        /* set filestore depth for stream reassembling */
+        TcpSession *ssn = (TcpSession *)p->flow->protoctx;
+        TcpSessionSetReassemblyDepth(ssn, FileReassemblyDepth());
+    }
     if (p->flowflags & FLOW_PKT_TOCLIENT)
         flags |= STREAM_TOCLIENT;
     else

Actions #7

Updated by lei wang about 5 years ago

I test new version suricata with this fixed code just now. It work well. And I find the dump file with nfsv2.pcap and nfsv3.pcap. But please test more to make sure really no problem because I am a learner and know a little about it.

Actions #8

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
Actions

Also available in: Atom PDF