Bug #5443
closedftp-data: failed assertion
Added by Philippe Antoine over 2 years ago. Updated about 1 year ago.
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49010
./src/suricata -k none -c suricata.yaml --set stream.midstream=true --runmode=single -r lol.pcap
Victor, is this assertion really meant to be unreachable ?
Files
Updated by Philippe Antoine over 2 years ago
Bug introduced by commit https://github.com/OISF/suricata/commit/07bf9214513e54e04508c055bb8ed29aa3bce60f
Updated by Philippe Antoine over 2 years ago
- Related to Bug #5205: FTP-data unrecognized depending on multi-threading added
Updated by Philippe Antoine over 2 years ago
Took me some time to figure out that I was needing --runmode=single to reproduce due to #5205 (fuzz target runs in single thread and so ftp-data detection goes alright)
Updated by Victor Julien over 2 years ago
- Status changed from New to Assigned
- Priority changed from Normal to High
Updated by Philippe Antoine about 2 years ago
My analysis :
- we have a FTP flow which expects a ftp-data flow
- we use stream.midstream=true
- the ftp-data flow has a first packet with data
- the ftp-data flow has then a second packet in same direction with RST flag (and no ACK flag)
- RST triggers the parse of all available data, even if it has never been acked
Should we process any of these data that has never been acked ?
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Updated by Victor Julien about 2 years ago
- Target version changed from 8.0.0-beta1 to 7.0.0-rc1
Accident during mass retargeting, thanks for catching this.
Updated by Philippe Antoine almost 2 years ago
I would disable the debug assertion if we cannot have a better fix quickly.
This would allow to have fuzzing going on and we would still have the issue to investigate...
Updated by Jeff Lucovsky almost 2 years ago
- Status changed from Assigned to Closed
Updated by Philippe Antoine almost 2 years ago
- Status changed from Closed to Assigned
The bug is still there to be fixed, so reopening
Updated by Philippe Antoine almost 2 years ago
Or to be explained as a non bug cf https://redmine.openinfosecfoundation.org/issues/5443#note-5
Updated by Philippe Antoine almost 2 years ago
- Priority changed from High to Normal
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-rc2 to 7.0.0
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0 to 7.0.1
Updated by Victor Julien over 1 year ago
- Status changed from Assigned to In Review
Updated by Victor Julien about 1 year ago
- Status changed from In Review to Closed
- Priority changed from High to Normal
https://github.com/OISF/suricata/pull/9320
Issue was caused by data on RST feeding data to app-layer after EOF was already sent to app-layer. Data on RST tracked in #6244.