Project

General

Profile

Actions
Copy link

Bug #3349

closed

Suricata 5.0 crashes while rule reload

Added by haiwei liu almost 5 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
5.0.0
Effort:
Difficulty:
Label:

Description

Suricata 5.0 crashes while rule reload and performing flow detect.

Backtrace

#0  0x00007fb6ce86e337 in raise () from /lib64/libc.so.6
#1  0x00007fb6ce86fa28 in abort () from /lib64/libc.so.6
#2  0x00007fb6ce8b0e87 in __libc_message () from /lib64/libc.so.6
#3  0x00007fb6ce8b9679 in _int_free () from /lib64/libc.so.6
#4  0x00000000004aa43f in DetectEngineThreadCtxFree (det_ctx=0x7fb6a4a96ce0) at detect-engine.c:2559
#5  0x00000000004ad8f7 in DetectEngineThreadCtxDeinit (tv=<optimized out>, data=0x7fb6a4a96ce0) at detect-engine.c:2604
#6  0x00000000004ae090 in DetectEngineReloadThreads (new_de_ctx=new_de_ctx@entry=0xa8dcf20) at detect-engine.c:1543
#7  0x00000000004b1890 in DetectEngineReload (suri=suri@entry=0xa81100 <suricata>) at detect-engine.c:3681
#8  0x000000000041fd55 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2860
#9  main (argc=<optimized out>, argv=<optimized out>) at suricata.c:3021

reason:

InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
{
    InspectionBuffer *buffer = &det_ctx->inspect.buffers[list_id];
    if (buffer->inspect == NULL) {
        det_ctx->inspect.to_clear_queue[det_ctx->inspect.to_clear_idx++] = list_id;
    }
    return buffer;
}

The size of det_ctx->inspect.to_clear_idx will exceed det_ctx->inspect.buffers_size during run, resulting in memory out of bounds.

Actions
Copy link

Also available in: Atom PDF