Project

General

Profile

Actions

Bug #3448

closed

Suricata 4.1 Seg Fault: Socket Control pcap-file and corrupt pcap

Added by David Wharton almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

Suricata 4.1 (tested on 4.1.5 and 4.1.6) seg faults when using socket control, and sending the "pcap-file" command with a bad pcap. In particular the issue has be observed when the provided pcap file is not a valid pcap file (but is an existing file). Suricata 5 (tested on 5.0.1) seem not to demonstrate this issue; also tested on Suricata 4.0.7 and didn't have the issue.

To reproduce:

1. Start Suricata in Unix socket mode:

$ suricata -c suricata.yaml -k none --runmode single --unix-socket=/opt/suri.socket

2. Use suricatasc to connect to socket and issue 'pcap-file' command, giving it a file that is not a valid pcap:

$ echo "pwn" > /tmp/not-a-pcap.pcap
$ suricatasc /opt/suri.socket      
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, pcap-file, pcap-file-continuous, pcap-file-number, pcap-file-list, pcap-last-processed, pcap-interrupt, pcap-current, quit
>>> pcap-file /tmp/not-a-pcap.pcap /tmp/
Success:
"Successfully added file to list" 

3. Observe Suricata seg fault. GDB output:

Thread 3 "W#01" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f6739ed8700 (LWP 156)]
UnixSocketPcapFile (tm=tm@entry=TM_ECODE_FAILED, last_processed=last_processed@entry=0x0) at runmode-unix-socket.c:605
605        unix_manager_pcap_last_processed.tv_sec = last_processed->tv_sec;
(gdb) bt
#0  UnixSocketPcapFile (tm=tm@entry=TM_ECODE_FAILED, last_processed=last_processed@entry=0x0) at runmode-unix-socket.c:605
#1  0x000055b15fe2cb3c in InitPcapFile (pfv=pfv@entry=0x7f672c49cba0) at source-pcap-file-helper.c:178
#2  0x000055b15fe27d89 in ReceivePcapFileThreadInit (tv=0x7f673593a0c0, initdata=0x7f6734000c60, data=0x7f6739ed73e8)
    at source-pcap-file.c:269
#3  0x000055b15fe48fd9 in TmThreadsSlotPktAcqLoop (td=0x7f673593a0c0) at tm-threads.c:330
#4  0x00007f673c0106db in start_thread (arg=0x7f6739ed8700) at pthread_create.c:463
#5  0x00007f673b47488f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) continue
Continuing.
[Thread 0x7f6739ed8700 (LWP 156) exited]
[Thread 0x7f673a6d9700 (LWP 154) exited]

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) 

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #1694: unix-socket reading 0 size pcapClosedDanny BrowningActions
Actions

Also available in: Atom PDF