Bug #5526
closed
tcp: Assertion failed: (!((last_ack_abs < left_edge && StreamTcpInlineMode() == 0 && !f->ffr && ssn->state < TCP_CLOSED)))
Added by Philippe Antoine over 2 years ago.
Updated over 1 year ago.
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50784
Reproducer is with rule
alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
Cmd line is
./suricata -c suricata.yaml -k none -r repro.pcap -S repro.rules
Files
Reproducer was obtained with python
import sys
f = open(sys.argv[1], "rb")
data = f.read()
f.close()
sep = data.find(0)
f = open("repro.rules", "wb")
f.write(data[:sep])
f.close()
f = open("repro.pcap", "wb")
f.write(data[sep+1:])
f.close()
- Status changed from New to Assigned
- Priority changed from Normal to High
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Regression range is quite small : 50f877912861360f0461acd05acd7b7b51f9fd0f...1bff888947345505c773ab07337546aa72e95d16
commit f04b7a1827845d72b4d0c12f76eadfcc77d726cf introduced the debug assertion and the bug
- Related to Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON) added
Bug still present even if oss-fuzz closed it
Was just looking today and noticed it indeed didn't reproduce. Do you have a new reproducer?
I use the same reproducer today
Suricata is at commit 55c4834e4e9b14a441b735f84d8d35b4eb151702
There must another difference in system/libpcap...
Better luck reproducing with this single flow pcap ?
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
- Status changed from Assigned to Closed
- Target version changed from 7.0.0-rc2 to 7.0.0-rc1
Accidentally fixed by commit 1dac2467c5b9c22ed20f121717960eaf4068d303
- Status changed from Closed to Assigned
Here is the new variant reproducer
Command line has -k none -c suricata.yaml --set stream.midstream=true
And this is using emerging threats rules
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
- Status changed from Assigned to Closed
- Priority changed from High to Normal
- Private changed from Yes to No
Also available in: Atom
PDF