Project

General

Profile

Actions

Bug #4519

closed

Buffer overflow in "by_rule" threshold context

Added by Jeff Lucovsky over 3 years ago. Updated over 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Several servers running Suricata has been crashing occasionally. I managed to get a PCAP file reproducing the bug on the same server, but had a hard time reproducing on my test rig. It turned out that the ordering of rules mattered, so after trying for a while I got my test rig to segfault as well.

The bug is connected to using "by_rule" tracking in thresholds in signatures.

When a new signature with "by_rule" tracking is parsed th_entry is resized to signature number pluss one using ThresholdHashRealloc(). This ensures that the "buffer" is large enough to hold state for every rule that use "by_rule" tracking in the ruleset. The issue is that the rules are reordered after they are parsed, and then all the rules are looped over and assigned new signature numbers based on the new order! Because of this, a buffer overflow could occur if we are unlucky enough that a signature with "by_rule" tracking has been given a signature number greater than the size of th_entry after the reordering, and that this rule triggers.

I'm suggesting to fix this by allocating th_entry after all the signatures have been parsed and loaded to ensure that it is large enough to hold all the entries needed.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x000000000051b381 in ThresholdHandlePacket (p=p@entry=0x7fb0080f3960, lookup_tsh=0x51, new_tsh=new_tsh@entry=0x7fb016c316e0, td=td@entry=0x14adedf0, sid=9800979, gid=1, pa=0x7fb0080f3b18)
    at detect-engine-threshold.c:415
415>----                if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #4503: Buffer overflow in "by_rule" threshold contextClosedMats KlepslandActions
Actions #1

Updated by Jeff Lucovsky over 3 years ago

  • Copied from Bug #4503: Buffer overflow in "by_rule" threshold context added
Actions #2

Updated by Jeff Lucovsky over 3 years ago

  • Status changed from Assigned to Rejected

The "by_rule" keyword is not available for rules in 5.0.x

Actions #3

Updated by Victor Julien over 3 years ago

  • Target version deleted (5.0.7)
Actions

Also available in: Atom PDF