Project

General

Profile

Actions
Copy link

Bug #4476

closed

heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti

Added by Philippe Antoine over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.0-beta1
Affected Versions:
6.0.2
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Coming from https://github.com/OISF/suricata/pull/5622#discussion_r626686822

Reproducer is
./src/suricata -r mqtt_too_many_topics.pcap -S mqtt.rules -c suricata.yaml -k none -l log
with suricata.yaml enabling mqtt (--set app-layer.protocols.mqtt.enabled=yes)
with mqtt.rules being alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.subscribe.topic; content:"topicY"; sid:15;)

Stack trace is 

==60789==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150000216f0 at pc 0x0001024672b9 bp 0x700007c2a550 sp 0x700007c2a548
WRITE of size 4 at 0x6150000216f0 thread T2
    #0 0x1024672b8 in InspectionBufferSetup detect-engine.c:1068
    #1 0x1024fed37 in MQTTSubscribeTopicGetData detect-mqtt-subscribe-topic.c:86
    #2 0x1024fe98c in PrefilterTxMQTTSubscribeTopic detect-mqtt-subscribe-topic.c:158
    #3 0x102495e95 in DetectRunPrefilterTx detect-engine-prefilter.c:117
    #4 0x102424da5 in DetectRunTx detect.c:1327
    #5 0x1024229ff in DetectRun detect.c:136
    #6 0x102421d72 in Detect detect.c:1666
    #7 0x10256acdd in FlowWorker flow-worker.c:540
    #8 0x10265987d in TmThreadsSlotVarRun tm-threads.c:117
    #9 0x102661882 in TmThreadsSlotVar tm-threads.c:452
    #10 0x7fff5e67b660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
    #11 0x7fff5e67b50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
    #12 0x7fff5e67abf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)

0x6150000216f0 is located 0 bytes to the right of 496-byte region [0x615000021500,0x6150000216f0)
allocated by thread T2 here:
    #0 0x103a70497 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57497)
    #1 0x1026a07ae in SCCallocFunc util-mem.c:57
    #2 0x10246a636 in ThreadCtxDoInit detect-engine.c:2696
    #3 0x102469f0e in DetectEngineThreadCtxInit detect-engine.c:2770
    #4 0x10256a58d in FlowWorkerThreadInit flow-worker.c:273
    #5 0x1026614f7 in TmThreadsSlotVar tm-threads.c:394
    #6 0x7fff5e67b660 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3660)
    #7 0x7fff5e67b50c in _pthread_start (libsystem_pthread.dylib:x86_64+0x350c)
    #8 0x7fff5e67abf8 in thread_start (libsystem_pthread.dylib:x86_64+0x2bf8)

Files

mqtt_too_many_topics.pcap (258 KB) mqtt_too_many_topics.pcap Philippe Antoine, 05/06/2021 07:02 AM

Related issues 3 (0 open3 closed)

Related to Suricata - Bug #4477: Infinite loops in when using InspectionBufferMultipleForListClosedPhilippe AntoineActions
Copied to Suricata - Security #4483: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti ClosedShivani BhardwajActions
Copied to Suricata - Security #4485: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti ClosedJeff LucovskyActions
Actions
Copy link

Also available in: Atom PDF