Security #5701: Suricata crashes while processing FTP - Suricata - Open Information Security Foundation

Actions

Copy link

Security #5701

closed

Suricata crashes while processing FTP

Added by Jeff Lucovsky almost 2 years ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

7.0.0-rc1

Affected Versions:

6.0.5

Label:

CVE:

Git IDs:

Severity:

MODERATE

Disclosure Date:

Description

Auric

Thread 1 (Thread 0x7f83e9cff640 (LWP 42276)):
#0  core::cmp::impls::{{impl}}::ne (self=<optimized out>, other=<optimized out>) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/cmp.rs:1177
No locals.
#1  core::cmp::impls::{{impl}}::ne<u8,u8> (self=<optimized out>, other=<optimized out>) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/cmp.rs:1346
No locals.
#2  nom::traits::{{impl}}::compare::{{closure}} () at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/traits.rs:659
        a = <optimized out>
        b = <optimized out>
#3  core::iter::traits::iterator::Iterator::position::check::{{closure}}<(&u8, &u8),closure-0> (i=<optimized out>, x=...) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/iter/traits/iterator.rs:2479
        predicate = <optimized out>
#4  core::iter::traits::iterator::Iterator::try_fold<core::iter::adapters::zip::Zip<core::slice::iter::Iter<u8>, core::slice::iter::Iter<u8>>,usize,closure-0,core::ops::control_flow::ControlFlow<usize, usize>> (self=<optimized out>, init=0, f=...) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/iter/traits/iterator.rs:1982
        x = (0x0, <synthetic pointer>)
        accum = <optimized out>
        accum = <optimized out>
        x = <optimized out>
        err = <optimized out>
        val = <optimized out>
#5  core::iter::traits::iterator::Iterator::position<core::iter::adapters::zip::Zip<core::slice::iter::Iter<u8>, core::slice::iter::Iter<u8>>,closure-0> (self=<optimized out>, predicate=...) at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/iter/traits/iterator.rs:2483
No locals.
#6  nom::traits::{{impl}}::compare (self=<optimized out>, t=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/traits.rs:659
        pos = <error reading variable pos (Cannot access memory at address 0x0)>
#7  nom::traits::{{impl}}::compare (self=<optimized out>, t=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/traits.rs:714
No locals.
#8  nom::bytes::streaming::tag::{{closure}}<&str,&[u8],(&[u8], nom::error::ErrorKind)> (i=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/bytes/streaming.rs:37
        t = <error reading variable>
        tag_len = 4
        tag = <optimized out>
        tag_len = <optimized out>
        t = <optimized out>
        res = <error reading variable res (Cannot access memory at address 0x0)>
        e = <optimized out>
#9  suricata::ftp::ftp_active_port (i=...) at /data/build/appliance/pkgs/suricata/build/production/rust/vendor/nom/src/combinator/macros.rs:124
No locals.
#10 0x000055ef4e9360e5 in suricata::ftp::rs_ftp_active_port (input=0x0, len=<optimized out>) at src/ftp/mod.rs:81
        buf = &[u8] {data_ptr: 0x4, length: 25}
#11 0x000055ef4e79b19d in FTPParseResponse (f=0x7f7df446e380, ftp_state=0x7f82475e3480, pstate=<optimized out>, input=<optimized out>, input_len=<optimized out>, local_data=<optimized out>, flags=<optimized out>) at app-layer-ftp.c:818
        tx = 0x7f828edfb600
        dyn_port = <optimized out>
        state = 0x7f82475e3480
        lasttx = 0x7f828edfb600
#12 0x000055ef4e7a72b6 in AppLayerParserParse (tv=tv@entry=0x7f844ce40fc0, alp_tctx=0x7f83e7c9c800, f=f@entry=0x7f7df446e380, alproto=2, flags=flags@entry=8 '\b', input=input@entry=0x7f7617e3a63d <removed>..., input_len=30) at app-layer-parser.c:1285
        res = <optimized out>
        pstate = 0x7f75793d9500
        p = <optimized out>
        alstate = 0x7f82475e3480
        p_tx_cnt = 238
        consumed = 30
        direction = 1
        cur_tx_cnt = <optimized out>
#13 0x000055ef4e780cdc in AppLayerHandleTCPData (tv=tv@entry=0x7f844ce40fc0, ra_ctx=ra_ctx@entry=0x7f83e7cd8000, p=p@entry=0x7f83e7c73600, f=0x7f7df446e380, ssn=ssn@entry=0x7f83e7dede00, stream=stream@entry=0x7f83e9cfaff8, data=0x7f7617e3a63d <removed>..., data_len=30, flags=8 '\b') at app-layer.c:709
        app_tctx = <optimized out>
        alproto = <optimized out>
        r = 0
        direction = 1
        failure = <optimized out>
#14 0x000055ef4e88f5e9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f83e7c73600, stream=0x7f83e9cfaff8, ssn=0x7f83e7dede00, ra_ctx=0x7f83e7cd8000, tv=0x7f844ce40fc0) at stream-tcp-reassemble.c:1190
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        mydata = 0x7f7617e3a63d <removed>...
        mydata_len = 30
        app_progress = 9397
        gap_ahead = <optimized out>
        last_was_gap = false
        app_progress = <optimized out>
        mydata = <optimized out>
        mydata_len = <optimized out>
        gap_ahead = <optimized out>
        last_was_gap = <optimized out>
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        r = <optimized out>
        no_progress_update = <optimized out>
#15 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f844ce40fc0, ra_ctx=ra_ctx@entry=0x7f83e7cd8000, ssn=ssn@entry=0x7f83e7dede00, stream=<optimized out>, stream@entry=0x7f83e7dede10, p=p@entry=0x7f83e7c73600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1253
No locals.
#16 0x000055ef4e8904da in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1822
No locals.
#17 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f844ce40fc0, ra_ctx=0x7f83e7cd8000, ssn=ssn@entry=0x7f83e7dede00, stream=0x7f83e7dede98, p=p@entry=0x7f83e7c73600, pq=pq@entry=0x7f83e7cd7008) at stream-tcp-reassemble.c:1871
        opposing_stream = 0x7f83e7dede10
        reversed_before_ack_handling = <optimized out>
        reversed_after_ack_handling = <optimized out>
        dir = UPDATE_DIR_OPPOSING
#18 0x000055ef4e883bd2 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2469
        zerowindowprobe = <optimized out>
        zerowindowprobe = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        sacked_size__ = <optimized out>
#19 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, stt=stt@entry=0x7f83e7cd7000, ssn=ssn@entry=0x7f83e7dede00, pq=0x7f83e7cd7008) at stream-tcp.c:2702
No locals.
#20 0x000055ef4e889751 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f83e7cd7008, ssn=0x7f83e7dede00, stt=0x7f83e7cd7000, p=0x7f83e7c73600, tv=0x7f844ce40fc0) at stream-tcp.c:4711
No locals.
#21 StreamTcpPacket (tv=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, stt=stt@entry=0x7f83e7cd7000, pq=0x7f83e7caa030) at stream-tcp.c:4896
        ssn = 0x7f83e7dede00
        error = <optimized out>
#22 0x000055ef4e889cff in StreamTcp (tv=tv@entry=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, data=0x7f83e7cd7000, pq=pq@entry=0x7f83e7caa030) at stream-tcp.c:5234
        stt = 0x7f83e7cd7000
#23 0x000055ef4e83f040 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f83e738b000, p=0x7f83e7c73600, fw=0x7f83e7caa000, tv=0x7f844ce40fc0) at flow-worker.c:370
        x = <optimized out>
        x = <optimized out>
#24 FlowWorker (tv=0x7f844ce40fc0, p=0x7f83e7c73600, data=0x7f83e7caa000) at flow-worker.c:535
        fw = 0x7f83e7caa000
        detect_thread = 0x7f83e738b000
#25 0x000055ef4e89815f in TmThreadsSlotVarRun (tv=tv@entry=0x7f844ce40fc0, p=p@entry=0x7f83e7c73600, slot=<optimized out>) at tm-threads.c:127
        r = <optimized out>
        s = 0x7f844df7d6c0
#26 0x000055ef4e876641 in TmThreadsSlotProcessPkt (p=0x7f83e7c73600, s=<optimized out>, tv=0x7f844ce40fc0) at tm-threads.h:195
        r = <optimized out>
        r = <optimized out>
#27 NapatechPacketLoop (tv=0x7f844ce40fc0, data=0x7f83e8d7d000, slot=<optimized out>) at source-napatech.c:1070

Subtasks 1 (0 open — 1 closed)

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Updated by Jeff Lucovsky almost 2 years ago

Suricata crashed while processing an FTP session.

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Status changed from New to Assigned
Priority changed from Normal to High

Actions

Copy link

Updated by Philippe Antoine almost 2 years ago

I see one way to trigger this :
- First FTP_COMMAND_PORT request allocates state->port_line and sets state->port_line_len : everything is fine so far
- Another request tries to realloc but fails due to memcap : it resets state->port_line but not state->port_line_len
- A response calls rs_ftp_active_port(NULL, 25);

Fix is like

diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c
index 61a7566ee..be8787a90 100644
--- a/src/app-layer-ftp.c
+++ b/src/app-layer-ftp.c
@@ -647,6 +647,7 @@ static AppLayerResult FTPParseRequest(Flow *f, void *ftp_state,
                             FTPFree(state->port_line, state->port_line_size);
                             state->port_line = NULL;
                             state->port_line_size = 0;
+                            state->port_line_len = 0;
                         }
                         SCReturnStruct(APP_LAYER_OK);
                     }

I should craft a S-V test first...

Actions

Copy link