Security #5703: smb: crash inside of streaming buffer Grow() - Suricata - Open Information Security Foundation

Actions

Copy link

Security #5703

closed

smb: crash inside of streaming buffer Grow()

Added by Jeff Lucovsky almost 2 years ago. Updated almost 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

7.0.0-rc1

Affected Versions:

6.0.5

Label:

CVE:

Git IDs:

Severity:

MODERATE

Disclosure Date:

Description

Suricata crashed following a successful Grow operation; perhaps it's because the grow value is so large?

Thread 1 (Thread 0x7f9d474ff640 (LWP 44220)):
#0  __memset_avx2_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:141
No locals.
#1  0x000055fd60aaa602 in memset (__len=<optimized out>, __ch=0, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71
No locals.
#2  Grow (sb=0x7f9c1cd34300) at util-streaming-buffer.c:504
        grow = 947912704
        ptr = 0x7f9b42000780
        diff = <optimized out>
        new_mem = <optimized out>
        grow = <optimized out>
        ptr = <optimized out>
        diff = <optimized out>
        new_mem = <optimized out>
#3  StreamingBufferAppendNoTrack (sb=0x7f9c1cd34300, data=0x7f9c15d51a88 <removed>..., data_len=590) at util-streaming-buffer.c:649
        rel_offset = <optimized out>
#4  0x000055fd60a85253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f9c1cceff00) at util-file.c:610
No locals.
#5  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f9c1cceff00) at util-file.c:701
        r = <optimized out>
        r = <optimized out>
#6  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f9c1cceff00) at util-file.c:650
        r = <optimized out>
        r = <optimized out>
#7  FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757
        r = <optimized out>
        ff = 0x7f9c1cceff00
#8  0x000055fd60b5d561 in suricata::filecontainer::FileContainer::file_append (self=0x7f9d467ffcf0, track_id=0x7f9c1cfdc3b8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77
        c = 0x7f9b42000780
#9  suricata::filetracker::FileTransferTracker::update (self=0x7f9c1cfdc360, files=0x7f9d467ffcf0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307
        is_gap = <optimized out>
        consumed = 0
#10 0x000055fd60b1bfcc in suricata::smb::files::filetracker_newchunk (ft=0x7f9c1cfdc360, files=0x7f9d467ffcf0, flags=<optimized out>, name=<optimized out>, data=..., chunk_offset=<optimized out>, chunk_size=<optimized out>, is_last=false, xid=<optimized out>) at src/smb/files.rs:90
        sfcm = 0x0
#11 suricata::smb::smb2::smb2_write_request_record (state=0x7f9d467ffc00, r=<optimized out>) at src/smb/smb2.rs:314
        file_id = <optimized out>
        tdf = <optimized out>
        tx = <optimized out>
        files = 0x7f9d467ffcf0
        flags = <optimized out>
        set_event_fileoverlap = false
        file_name = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x1f6a31d3, _marker: core::marker::PhantomData<u8>}, cap: 140312286593057, alloc: alloc::alloc::Global}, len: 16}
        file_guid = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x0, _marker: core::marker::PhantomData<u8>}, cap: 140313482996472, alloc: alloc::alloc::Global}, len: 94546737347971}
        guid_key = suricata::smb::smb::SMBCommonHdr {ssn_id: <optimized out>, tree_id: <optimized out>, rec_type: 1, msg_id: <optimized out>}
        wr = suricata::smb::smb2_records::Smb2WriteRequestRecord {wr_len: <synthetic pointer>, wr_offset: <optimized out>, guid: &[u8] {data_ptr: <optimized out>, length: <optimized out>}, data: &[u8] {data_ptr: <optimized out>, length: 590}}
        max_queue_cnt = <optimized out>
        max_queue_size = <optimized out>
#12 0x000055fd60b9cea4 in suricata::smb::smb::SMBState::parse_tcp_data_ts_partial (self=0x7f9d467ffc00, input=...) at src/smb/smb.rs:1353
        smb_record = 0x0
        smb = <optimized out>
        nbss_part_hdr = <optimized out>
        output = <optimized out>
#13 0x000055fd60b9d587 in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f9d467ffc00, i=...) at src/smb/smb.rs:1511
        n = <optimized out>
        needed = <error reading variable needed (Cannot access memory at address 0x0)>
        consumed = <optimized out>
        consumed = <optimized out>
        cur_i = &[u8] {data_ptr: 0x7f9c15d51a14, length: 706}
#14 0x000055fd60b9e782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f9c1814ac40, state=state@entry=0x7f9d467ffc00, _pstate=_pstate@entry=0x7f9c1cedc690, input=input@entry=0x7f9c15d51780, input_len=input_len@entry=1366, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901
        buf = &[u8] {data_ptr: 0x7f9c15d51780, length: 1366}
#15 0x000055fd6097b6bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=1366, input=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., pstate=0x7f9c1cedc690, state=0x7f9d467ffc00, f=0x7f9c1814ac40) at app-layer-smb.c:46
        res = {status = 0, consumed = 0, needed = 0}
        file_flags = <optimized out>
        res = <optimized out>
#16 SMBTCPParseRequest (f=0x7f9c1814ac40, state=0x7f9d467ffc00, pstate=0x7f9c1cedc690, input=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., input_len=1366, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33
        file_flags = <optimized out>
        res = <optimized out>
#17 0x000055fd6097a496 in AppLayerParserParse (tv=tv@entry=0x7f9dbbbe3200, alp_tctx=0x7f9d4627f800, f=f@entry=0x7f9c1814ac40, alproto=8, flags=4 '\004', input=input@entry=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., input_len=1366) at app-layer-parser.c:1310
        res = <optimized out>
        pstate = 0x7f9c1cedc690
        p = <optimized out>
        alstate = 0x7f9d467ffc00
        p_tx_cnt = 33
        consumed = 1366
        direction = 0
        cur_tx_cnt = <optimized out>
#18 0x000055fd60953d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=ra_ctx@entry=0x7f9d44b48000, p=p@entry=0x7f9d44b1a600, f=0x7f9c1814ac40, ssn=ssn@entry=0x7f9d44ec03c0, stream=stream@entry=0x7f9d474faff8, data=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., data_len=1366, flags=4 '\004') at app-layer.c:724
        app_tctx = <optimized out>
        alproto = <optimized out>
        r = 0
        end = <optimized out>
        direction = 0
        failure = <optimized out>
#19 0x000055fd60a62cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f9d44b1a600, stream=0x7f9d474faff8, ssn=0x7f9d44ec03c0, ra_ctx=0x7f9d44b48000, tv=0x7f9dbbbe3200) at stream-tcp-reassemble.c:1202
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        mydata = 0x7f9c15d51780 <removed>, <incomplete sequence \353>...
        mydata_len = 1366
        app_progress = 2621735586
        gap_ahead = <optimized out>
        last_was_gap = false
        app_progress = <optimized out>
        mydata = <optimized out>
        mydata_len = <optimized out>
        gap_ahead = <optimized out>
        last_was_gap = <optimized out>
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        r = <optimized out>
        no_progress_update = <optimized out>
#20 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=ra_ctx@entry=0x7f9d44b48000, ssn=ssn@entry=0x7f9d44ec03c0, stream=<optimized out>, stream@entry=0x7f9d44ec0458, p=p@entry=0x7f9d44b1a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265
No locals.
#21 0x000055fd60a63ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834
No locals.
#22 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=0x7f9d44b48000, ssn=ssn@entry=0x7f9d44ec03c0, stream=0x7f9d44ec03d0, p=p@entry=0x7f9d44b1a600, pq=pq@entry=0x7f9d44b47008) at stream-tcp-reassemble.c:1883
        opposing_stream = 0x7f9d44ec0458
        reversed_before_ack_handling = <optimized out>
        reversed_after_ack_handling = <optimized out>
        dir = UPDATE_DIR_OPPOSING
#23 0x000055fd60a57252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502
        zerowindowprobe = <optimized out>
        zerowindowprobe = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        sacked_size__ = <optimized out>
#24 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f9dbbbe3200, p=p@entry=0x7f9d44b1a600, stt=stt@entry=0x7f9d44b47000, ssn=ssn@entry=0x7f9d44ec03c0, pq=0x7f9d44b47008) at stream-tcp.c:2735
No locals.
#25 0x000055fd60a5ce31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f9d44b47008, ssn=0x7f9d44ec03c0, stt=0x7f9d44b47000, p=0x7f9d44b1a600, tv=0x7f9dbbbe3200) at stream-tcp.c:4744
No locals.

Subtasks 1 (0 open — 1 closed)

Related issues 5 (0 open — 5 closed)

Actions

Copy link

Updated by Jeff Lucovsky almost 2 years ago

And another

#1  0x00005608f78b8602 in memset (__len=<optimized out>, __ch=0, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71
No locals.
#2  Grow (sb=0x7f72f00f2880) at util-streaming-buffer.c:504
        grow = 1441267712
        ptr = 0x7f7040800380
        diff = <optimized out>
        new_mem = <optimized out>
        grow = <optimized out>
        ptr = <optimized out>
        diff = <optimized out>
        new_mem = <optimized out>
#3  StreamingBufferAppendNoTrack (sb=0x7f72f00f2880, data=0x7f711d789000 "", data_len=18736) at util-streaming-buffer.c:649
        rel_offset = <optimized out>
#4  0x00005608f7893253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f72f00e6b00) at util-file.c:610
No locals.
#5  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f72f00e6b00) at util-file.c:701
        r = <optimized out>
        r = <optimized out>
#6  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f72f00e6b00) at util-file.c:650
        r = <optimized out>
        r = <optimized out>
#7  FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757
        r = <optimized out>
        ff = 0x7f72f00e6b00
#8  0x00005608f796b561 in suricata::filecontainer::FileContainer::file_append (self=0x7f72dcd446f0, track_id=0x7f72f01d90c8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77
        c = 0x7f7040800380
#9  suricata::filetracker::FileTransferTracker::update (self=0x7f72f01d9070, files=0x7f72dcd446f0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307
        is_gap = <optimized out>
        consumed = 0
#10 0x00005608f79ae8ef in suricata::smb::smb::SMBState::filetracker_update (self=<optimized out>, direction=<optimized out>, data=..., gap_size=4067404584) at src/smb/files.rs:214
        file_data = &[u8] {data_ptr: 0x7f711d789000, length: 18736}
        tdf = <optimized out>
        tx = <optimized out>
        files = 0x7f72dcd446f0
        flags = 8790
        ssn_gap = <optimized out>
        data_to_handle_len = 18736
        file_handle = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x7f72f0129ae0, _marker: core::marker::PhantomData<u8>}, cap: 16, alloc: alloc::alloc::Global}, len: 16}
        chunk_left = <optimized out>
#11 0x00005608f79aaf7c in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f72dcd44600, i=...) at src/smb/smb.rs:1388
        consumed = <optimized out>
        cur_i = &[u8] {data_ptr: 0x7f711d789000, length: 18736}
#12 0x00005608f79ac782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f72b0c78e80, state=state@entry=0x7f72dcd44600, _pstate=_pstate@entry=0x7f72f011a8a0, input=input@entry=0x7f711d789000, input_len=input_len@entry=18736, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901
        buf = &[u8] {data_ptr: 0x7f711d789000, length: 18736}
#13 0x00005608f77896bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=18736, input=0x7f711d789000 "", pstate=0x7f72f011a8a0, state=0x7f72dcd44600, f=0x7f72b0c78e80) at app-layer-smb.c:46
        res = {status = 0, consumed = 0, needed = 1}
        file_flags = <optimized out>
        res = <optimized out>
#14 SMBTCPParseRequest (f=0x7f72b0c78e80, state=0x7f72dcd44600, pstate=0x7f72f011a8a0, input=0x7f711d789000 "", input_len=18736, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33
        file_flags = <optimized out>
        res = <optimized out>
#15 0x00005608f7788496 in AppLayerParserParse (tv=tv@entry=0x7f732a1e6680, alp_tctx=0x7f72efd39800, f=f@entry=0x7f72b0c78e80, alproto=8, flags=4 '\004', input=input@entry=0x7f711d789000 "", input_len=18736) at app-layer-parser.c:1310
        res = <optimized out>
        pstate = 0x7f72f011a8a0
        p = <optimized out>
        alstate = 0x7f72dcd44600
        p_tx_cnt = 2427
        consumed = 18736
        direction = 0
        cur_tx_cnt = <optimized out>
#16 0x00005608f7761d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f732a1e6680, ra_ctx=ra_ctx@entry=0x7f72f1bff040, p=p@entry=0x7f72efd1a600, f=0x7f72b0c78e80, ssn=ssn@entry=0x7f72f00b8340, stream=stream@entry=0x7f72f26faff8, data=0x7f711d789000 "", data_len=18736, flags=4 '\004') at app-layer.c:724
        app_tctx = <optimized out>
        alproto = <optimized out>
        r = 0
        end = <optimized out>
        direction = 0
        failure = <optimized out>
#17 0x00005608f7870cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f72efd1a600, stream=0x7f72f26faff8, ssn=0x7f72f00b8340, ra_ctx=0x7f72f1bff040, tv=0x7f732a1e6680) at stream-tcp-reassemble.c:1202
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        mydata = 0x7f711d789000 "" 
        mydata_len = 18736
        app_progress = 3877259096
        gap_ahead = <optimized out>
        last_was_gap = false
        app_progress = <optimized out>
        mydata = <optimized out>
        mydata_len = <optimized out>
        gap_ahead = <optimized out>
        last_was_gap = <optimized out>
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        r = <optimized out>
        no_progress_update = <optimized out>
#18 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f732a1e6680, ra_ctx=ra_ctx@entry=0x7f72f1bff040, ssn=ssn@entry=0x7f72f00b8340, stream=<optimized out>, stream@entry=0x7f72f00b83d8, p=p@entry=0x7f72efd1a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265
No locals.
#19 0x00005608f7871ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834
No locals.
#20 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f732a1e6680, ra_ctx=0x7f72f1bff040, ssn=ssn@entry=0x7f72f00b8340, stream=0x7f72f00b8350, p=p@entry=0x7f72efd1a600, pq=pq@entry=0x7f72f19ff048) at stream-tcp-reassemble.c:1883
        opposing_stream = 0x7f72f00b83d8
        reversed_before_ack_handling = <optimized out>
        reversed_after_ack_handling = <optimized out>
        dir = UPDATE_DIR_OPPOSING
#21 0x00005608f7865252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502
        zerowindowprobe = <optimized out>
        zerowindowprobe = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        sacked_size__ = <optimized out>
#22 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, stt=stt@entry=0x7f72f19ff040, ssn=ssn@entry=0x7f72f00b8340, pq=0x7f72f19ff048) at stream-tcp.c:2735
No locals.
#23 0x00005608f786ae31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f72f19ff048, ssn=0x7f72f00b8340, stt=0x7f72f19ff040, p=0x7f72efd1a600, tv=0x7f732a1e6680) at stream-tcp.c:4744
No locals.
#24 StreamTcpPacket (tv=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, stt=stt@entry=0x7f72f19ff040, pq=0x7f72efd3d030) at stream-tcp.c:4929
        ssn = 0x7f72f00b8340
        error = <optimized out>
#25 0x00005608f786b3df in StreamTcp (tv=tv@entry=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, data=0x7f72f19ff040, pq=pq@entry=0x7f72efd3d030) at stream-tcp.c:5270
        stt = 0x7f72f19ff040
#26 0x00005608f78205a0 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f72f00d0000, p=0x7f72efd1a600, fw=0x7f72efd3d000, tv=0x7f732a1e6680) at flow-worker.c:370
        x = <optimized out>
        x = <optimized out>
#27 FlowWorker (tv=0x7f732a1e6680, p=0x7f72efd1a600, data=0x7f72efd3d000) at flow-worker.c:535
        fw = 0x7f72efd3d000
        detect_thread = 0x7f72f00d0000

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Related to Security #5700: SCRealloc of large chunk crashes Suricata added

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Related to Bug #4863: suricata segfault on smb packet added

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Status changed from New to Assigned
Assignee changed from OISF Dev to Victor Julien
Priority changed from Normal to High
Target version changed from TBD to 7.0.0-rc1

I can reproduce this with a (large) single flow smb pcap:

23/11/2022 -- 07:18:10 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
=================================================================
==1417393==ERROR: AddressSanitizer: unknown-crash on address 0x800032fde800 at pc 0x5555558dd7dc bp 0x7fffeb482f50 sp 0x7fffeb482720
WRITE of size 2948595712 at 0x800032fde800 thread T1 (W#01)
[Detaching after fork from child process 1417434]
    #0 0x5555558dd7db in __asan_memset (/home/victor/sync/devel/eidps/src/suricata+0x3897db) (BuildId: c3afc72044cbe2e282beb441b8bc569ff7102676)
    #1 0x555555ead853 in Grow /home/victor/devel/eidps/src/util-streaming-buffer.c:488:5
    #2 0x555555eae2c7 in StreamingBufferAppendNoTrack /home/victor/devel/eidps/src/util-streaming-buffer.c:623:21
    #3 0x555555e0debd in AppendData /home/victor/devel/eidps/src/util-file.c:660:9
    #4 0x555555e0c4b6 in FileAppendDataDo /home/victor/devel/eidps/src/util-file.c:753:13
    #5 0x555555e0c6a3 in FileAppendDataById /home/victor/devel/eidps/src/util-file.c:809:21
    #6 0x55555608801a in suricata::filecontainer::FileContainer::file_append::hafa9a2b52833c43d /home/victor/devel/eidps/rust/src/filecontainer.rs
    #7 0x55555608801a in suricata::filetracker::FileTransferTracker::update::h0b97404b5eb1ca72 /home/victor/devel/eidps/rust/src/filetracker.rs:296:31
    #8 0x55555614f1b7 in suricata::smb::files::_$LT$impl$u20$suricata..smb..smb..SMBState$GT$::filetracker_update::hbd6873bfb88eba3e /home/victor/devel/eidps/rust/src/smb/files.rs:173:30
    #9 0x555556130c5c in suricata::smb::smb::SMBState::parse_tcp_data_tc::h590b53b1b881a755 /home/victor/devel/eidps/rust/src/smb/smb.rs:1683:24
    #10 0x555556131db3 in rs_smb_parse_response_tcp /home/victor/devel/eidps/rust/src/smb/smb.rs:2002:5
    #11 0x5555559ef81c in AppLayerParserParse /home/victor/devel/eidps/src/app-layer-parser.c:1374:30
    #12 0x55555599b894 in AppLayerHandleTCPData /home/victor/devel/eidps/src/app-layer.c:770:17
    #13 0x555555dd83f9 in ReassembleUpdateAppLayer /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1279:15
    #14 0x555555dd657c in StreamTcpReassembleAppLayer /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1343:12
    #15 0x555555dddd97 in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1920:9
    #16 0x555555ddd8cd in StreamTcpReassembleHandleSegment /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1969:13
    #17 0x555555daf61a in HandleEstablishedPacketToServer /home/victor/devel/eidps/src/stream-tcp.c:2383:9
    #18 0x555555d77f03 in StreamTcpPacketStateEstablished /home/victor/devel/eidps/src/stream-tcp.c:2840:13
    #19 0x555555d5ab2a in StreamTcpStateDispatch /home/victor/devel/eidps/src/stream-tcp.c:4874:17
    #20 0x555555d517b3 in StreamTcpPacket /home/victor/devel/eidps/src/stream-tcp.c:5066:13
    #21 0x555555d5bb83 in StreamTcp /home/victor/devel/eidps/src/stream-tcp.c:5399:11
    #22 0x555555c6c4e1 in FlowWorkerStreamTCPUpdate /home/victor/devel/eidps/src/flow-worker.c:379:5
    #23 0x555555c6b26d in FlowWorker /home/victor/devel/eidps/src/flow-worker.c:548:9
    #24 0x55555592d68c in TmThreadsSlotVarRun /home/victor/devel/eidps/src/tm-threads.c:118:21
    #25 0x555555d4c8ff in TmThreadsSlotProcessPkt /home/victor/devel/eidps/src/./tm-threads.h:191:17
    #26 0x555555d4b8e8 in PcapFileCallbackLoop /home/victor/devel/eidps/src/source-pcap-file-helper.c:110:9
    #27 0x7ffff75ebc53  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x2bc53) (BuildId: 2703e8aa153a5848770e5e1a18b14a1493204c07)
    #28 0x555555d4a923 in PcapFileDispatch /home/victor/devel/eidps/src/source-pcap-file-helper.c:155:17
    #29 0x555555d455b5 in ReceivePcapFileLoop /home/victor/devel/eidps/src/source-pcap-file.c:180:18
    #30 0x5555559399a7 in TmThreadsSlotPktAcqLoop /home/victor/devel/eidps/src/tm-threads.c:310:13
    #31 0x7ffff73aeb42 in start_thread nptl/./nptl/pthread_create.c:442:8
    #32 0x7ffff74409ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Subject changed from Suricata crashes inside of Grow to smb: crash inside of streaming bufffer Grow()

Actions

Copy link

Updated by Jeff Lucovsky almost 2 years ago

Subject changed from smb: crash inside of streaming bufffer Grow() to smb: crash inside of streaming buffer Grow()

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Status changed from Assigned to In Review
Label Needs backport to 6.0 added

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Subtask #5710 added

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Rules	Affected
ET open	no
ET pro	no
-S /dev/null	yes
--disable-detection	no
at least one rule with file.data as fast_pattern	no
ruleset w/o file.data	yes
ruleset with file.data, but none are fast_pattern	yes

For file.data rules it is irrelevant if they specify alert smb, alert tcp, alert http, etc. As long as the there are rules that have file.data as fast pattern there is no issue.

Actions

Copy link

#10

Updated by Victor Julien almost 2 years ago

Related to Security #5712: tcp: crafted packets lead to resource starvation added

Actions

Copy link

#11

Updated by Victor Julien almost 2 years ago

Status changed from In Review to Resolved

https://github.com/OISF/suricata/pull/8209

Actions

Copy link

#12

Updated by Victor Julien almost 2 years ago

Status changed from Resolved to Closed

Actions

Copy link

#13

Updated by Victor Julien almost 2 years ago

Label deleted (~~Needs backport to 6.0~~)

Actions

Copy link

#14

Updated by Victor Julien almost 2 years ago

Private changed from Yes to No

Actions

Copy link

#15

Updated by Victor Julien almost 2 years ago

Related to Optimization #5782: smb: set defaults for file chunk limits added

Actions

Copy link

#16

Updated by Victor Julien almost 2 years ago

Related to Bug #5781: smb: unbounded file chunk queuing after gap added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Security #5703

smb: crash inside of streaming buffer Grow()

Updated by Jeff Lucovsky almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Jeff Lucovsky almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Related to Suricata - Security #5700: SCRealloc of large chunk crashes Suricata	Closed	Victor Julien	Actions
Related to Suricata - Bug #4863: suricata segfault on smb packet	Rejected		Actions
Related to Suricata - Security #5712: tcp: crafted packets lead to resource starvation	Closed	Victor Julien	Actions
Related to Suricata - Optimization #5782: smb: set defaults for file chunk limits	Closed	Victor Julien	Actions
Related to Suricata - Bug #5781: smb: unbounded file chunk queuing after gap	Closed	Victor Julien	Actions