Actions
Security #5703
closedsmb: crash inside of streaming buffer Grow()
Git IDs:
Severity:
MODERATE
Disclosure Date:
Description
Suricata crashed following a successful Grow operation; perhaps it's because the grow value is so large?
Thread 1 (Thread 0x7f9d474ff640 (LWP 44220)): #0 __memset_avx2_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:141 No locals. #1 0x000055fd60aaa602 in memset (__len=<optimized out>, __ch=0, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71 No locals. #2 Grow (sb=0x7f9c1cd34300) at util-streaming-buffer.c:504 grow = 947912704 ptr = 0x7f9b42000780 diff = <optimized out> new_mem = <optimized out> grow = <optimized out> ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> #3 StreamingBufferAppendNoTrack (sb=0x7f9c1cd34300, data=0x7f9c15d51a88 <removed>..., data_len=590) at util-streaming-buffer.c:649 rel_offset = <optimized out> #4 0x000055fd60a85253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f9c1cceff00) at util-file.c:610 No locals. #5 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f9c1cceff00) at util-file.c:701 r = <optimized out> r = <optimized out> #6 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f9c1cceff00) at util-file.c:650 r = <optimized out> r = <optimized out> #7 FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757 r = <optimized out> ff = 0x7f9c1cceff00 #8 0x000055fd60b5d561 in suricata::filecontainer::FileContainer::file_append (self=0x7f9d467ffcf0, track_id=0x7f9c1cfdc3b8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77 c = 0x7f9b42000780 #9 suricata::filetracker::FileTransferTracker::update (self=0x7f9c1cfdc360, files=0x7f9d467ffcf0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307 is_gap = <optimized out> consumed = 0 #10 0x000055fd60b1bfcc in suricata::smb::files::filetracker_newchunk (ft=0x7f9c1cfdc360, files=0x7f9d467ffcf0, flags=<optimized out>, name=<optimized out>, data=..., chunk_offset=<optimized out>, chunk_size=<optimized out>, is_last=false, xid=<optimized out>) at src/smb/files.rs:90 sfcm = 0x0 #11 suricata::smb::smb2::smb2_write_request_record (state=0x7f9d467ffc00, r=<optimized out>) at src/smb/smb2.rs:314 file_id = <optimized out> tdf = <optimized out> tx = <optimized out> files = 0x7f9d467ffcf0 flags = <optimized out> set_event_fileoverlap = false file_name = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x1f6a31d3, _marker: core::marker::PhantomData<u8>}, cap: 140312286593057, alloc: alloc::alloc::Global}, len: 16} file_guid = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x0, _marker: core::marker::PhantomData<u8>}, cap: 140313482996472, alloc: alloc::alloc::Global}, len: 94546737347971} guid_key = suricata::smb::smb::SMBCommonHdr {ssn_id: <optimized out>, tree_id: <optimized out>, rec_type: 1, msg_id: <optimized out>} wr = suricata::smb::smb2_records::Smb2WriteRequestRecord {wr_len: <synthetic pointer>, wr_offset: <optimized out>, guid: &[u8] {data_ptr: <optimized out>, length: <optimized out>}, data: &[u8] {data_ptr: <optimized out>, length: 590}} max_queue_cnt = <optimized out> max_queue_size = <optimized out> #12 0x000055fd60b9cea4 in suricata::smb::smb::SMBState::parse_tcp_data_ts_partial (self=0x7f9d467ffc00, input=...) at src/smb/smb.rs:1353 smb_record = 0x0 smb = <optimized out> nbss_part_hdr = <optimized out> output = <optimized out> #13 0x000055fd60b9d587 in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f9d467ffc00, i=...) at src/smb/smb.rs:1511 n = <optimized out> needed = <error reading variable needed (Cannot access memory at address 0x0)> consumed = <optimized out> consumed = <optimized out> cur_i = &[u8] {data_ptr: 0x7f9c15d51a14, length: 706} #14 0x000055fd60b9e782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f9c1814ac40, state=state@entry=0x7f9d467ffc00, _pstate=_pstate@entry=0x7f9c1cedc690, input=input@entry=0x7f9c15d51780, input_len=input_len@entry=1366, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901 buf = &[u8] {data_ptr: 0x7f9c15d51780, length: 1366} #15 0x000055fd6097b6bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=1366, input=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., pstate=0x7f9c1cedc690, state=0x7f9d467ffc00, f=0x7f9c1814ac40) at app-layer-smb.c:46 res = {status = 0, consumed = 0, needed = 0} file_flags = <optimized out> res = <optimized out> #16 SMBTCPParseRequest (f=0x7f9c1814ac40, state=0x7f9d467ffc00, pstate=0x7f9c1cedc690, input=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., input_len=1366, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33 file_flags = <optimized out> res = <optimized out> #17 0x000055fd6097a496 in AppLayerParserParse (tv=tv@entry=0x7f9dbbbe3200, alp_tctx=0x7f9d4627f800, f=f@entry=0x7f9c1814ac40, alproto=8, flags=4 '\004', input=input@entry=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., input_len=1366) at app-layer-parser.c:1310 res = <optimized out> pstate = 0x7f9c1cedc690 p = <optimized out> alstate = 0x7f9d467ffc00 p_tx_cnt = 33 consumed = 1366 direction = 0 cur_tx_cnt = <optimized out> #18 0x000055fd60953d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=ra_ctx@entry=0x7f9d44b48000, p=p@entry=0x7f9d44b1a600, f=0x7f9c1814ac40, ssn=ssn@entry=0x7f9d44ec03c0, stream=stream@entry=0x7f9d474faff8, data=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., data_len=1366, flags=4 '\004') at app-layer.c:724 app_tctx = <optimized out> alproto = <optimized out> r = 0 end = <optimized out> direction = 0 failure = <optimized out> #19 0x000055fd60a62cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f9d44b1a600, stream=0x7f9d474faff8, ssn=0x7f9d44ec03c0, ra_ctx=0x7f9d44b48000, tv=0x7f9dbbbe3200) at stream-tcp-reassemble.c:1202 flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> mydata = 0x7f9c15d51780 <removed>, <incomplete sequence \353>... mydata_len = 1366 app_progress = 2621735586 gap_ahead = <optimized out> last_was_gap = false app_progress = <optimized out> mydata = <optimized out> mydata_len = <optimized out> gap_ahead = <optimized out> last_was_gap = <optimized out> flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> r = <optimized out> no_progress_update = <optimized out> #20 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=ra_ctx@entry=0x7f9d44b48000, ssn=ssn@entry=0x7f9d44ec03c0, stream=<optimized out>, stream@entry=0x7f9d44ec0458, p=p@entry=0x7f9d44b1a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265 No locals. #21 0x000055fd60a63ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834 No locals. #22 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=0x7f9d44b48000, ssn=ssn@entry=0x7f9d44ec03c0, stream=0x7f9d44ec03d0, p=p@entry=0x7f9d44b1a600, pq=pq@entry=0x7f9d44b47008) at stream-tcp-reassemble.c:1883 opposing_stream = 0x7f9d44ec0458 reversed_before_ack_handling = <optimized out> reversed_after_ack_handling = <optimized out> dir = UPDATE_DIR_OPPOSING #23 0x000055fd60a57252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502 zerowindowprobe = <optimized out> zerowindowprobe = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> sacked_size__ = <optimized out> #24 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f9dbbbe3200, p=p@entry=0x7f9d44b1a600, stt=stt@entry=0x7f9d44b47000, ssn=ssn@entry=0x7f9d44ec03c0, pq=0x7f9d44b47008) at stream-tcp.c:2735 No locals. #25 0x000055fd60a5ce31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f9d44b47008, ssn=0x7f9d44ec03c0, stt=0x7f9d44b47000, p=0x7f9d44b1a600, tv=0x7f9dbbbe3200) at stream-tcp.c:4744 No locals.
Updated by Jeff Lucovsky about 2 years ago
And another
#1 0x00005608f78b8602 in memset (__len=<optimized out>, __ch=0, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71 No locals. #2 Grow (sb=0x7f72f00f2880) at util-streaming-buffer.c:504 grow = 1441267712 ptr = 0x7f7040800380 diff = <optimized out> new_mem = <optimized out> grow = <optimized out> ptr = <optimized out> diff = <optimized out> new_mem = <optimized out> #3 StreamingBufferAppendNoTrack (sb=0x7f72f00f2880, data=0x7f711d789000 "", data_len=18736) at util-streaming-buffer.c:649 rel_offset = <optimized out> #4 0x00005608f7893253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f72f00e6b00) at util-file.c:610 No locals. #5 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f72f00e6b00) at util-file.c:701 r = <optimized out> r = <optimized out> #6 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f72f00e6b00) at util-file.c:650 r = <optimized out> r = <optimized out> #7 FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757 r = <optimized out> ff = 0x7f72f00e6b00 #8 0x00005608f796b561 in suricata::filecontainer::FileContainer::file_append (self=0x7f72dcd446f0, track_id=0x7f72f01d90c8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77 c = 0x7f7040800380 #9 suricata::filetracker::FileTransferTracker::update (self=0x7f72f01d9070, files=0x7f72dcd446f0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307 is_gap = <optimized out> consumed = 0 #10 0x00005608f79ae8ef in suricata::smb::smb::SMBState::filetracker_update (self=<optimized out>, direction=<optimized out>, data=..., gap_size=4067404584) at src/smb/files.rs:214 file_data = &[u8] {data_ptr: 0x7f711d789000, length: 18736} tdf = <optimized out> tx = <optimized out> files = 0x7f72dcd446f0 flags = 8790 ssn_gap = <optimized out> data_to_handle_len = 18736 file_handle = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x7f72f0129ae0, _marker: core::marker::PhantomData<u8>}, cap: 16, alloc: alloc::alloc::Global}, len: 16} chunk_left = <optimized out> #11 0x00005608f79aaf7c in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f72dcd44600, i=...) at src/smb/smb.rs:1388 consumed = <optimized out> cur_i = &[u8] {data_ptr: 0x7f711d789000, length: 18736} #12 0x00005608f79ac782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f72b0c78e80, state=state@entry=0x7f72dcd44600, _pstate=_pstate@entry=0x7f72f011a8a0, input=input@entry=0x7f711d789000, input_len=input_len@entry=18736, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901 buf = &[u8] {data_ptr: 0x7f711d789000, length: 18736} #13 0x00005608f77896bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=18736, input=0x7f711d789000 "", pstate=0x7f72f011a8a0, state=0x7f72dcd44600, f=0x7f72b0c78e80) at app-layer-smb.c:46 res = {status = 0, consumed = 0, needed = 1} file_flags = <optimized out> res = <optimized out> #14 SMBTCPParseRequest (f=0x7f72b0c78e80, state=0x7f72dcd44600, pstate=0x7f72f011a8a0, input=0x7f711d789000 "", input_len=18736, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33 file_flags = <optimized out> res = <optimized out> #15 0x00005608f7788496 in AppLayerParserParse (tv=tv@entry=0x7f732a1e6680, alp_tctx=0x7f72efd39800, f=f@entry=0x7f72b0c78e80, alproto=8, flags=4 '\004', input=input@entry=0x7f711d789000 "", input_len=18736) at app-layer-parser.c:1310 res = <optimized out> pstate = 0x7f72f011a8a0 p = <optimized out> alstate = 0x7f72dcd44600 p_tx_cnt = 2427 consumed = 18736 direction = 0 cur_tx_cnt = <optimized out> #16 0x00005608f7761d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f732a1e6680, ra_ctx=ra_ctx@entry=0x7f72f1bff040, p=p@entry=0x7f72efd1a600, f=0x7f72b0c78e80, ssn=ssn@entry=0x7f72f00b8340, stream=stream@entry=0x7f72f26faff8, data=0x7f711d789000 "", data_len=18736, flags=4 '\004') at app-layer.c:724 app_tctx = <optimized out> alproto = <optimized out> r = 0 end = <optimized out> direction = 0 failure = <optimized out> #17 0x00005608f7870cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f72efd1a600, stream=0x7f72f26faff8, ssn=0x7f72f00b8340, ra_ctx=0x7f72f1bff040, tv=0x7f732a1e6680) at stream-tcp-reassemble.c:1202 flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> mydata = 0x7f711d789000 "" mydata_len = 18736 app_progress = 3877259096 gap_ahead = <optimized out> last_was_gap = false app_progress = <optimized out> mydata = <optimized out> mydata_len = <optimized out> gap_ahead = <optimized out> last_was_gap = <optimized out> flags = <optimized out> check_for_gap_ahead = <optimized out> new_app_progress = <optimized out> r = <optimized out> no_progress_update = <optimized out> #18 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f732a1e6680, ra_ctx=ra_ctx@entry=0x7f72f1bff040, ssn=ssn@entry=0x7f72f00b8340, stream=<optimized out>, stream@entry=0x7f72f00b83d8, p=p@entry=0x7f72efd1a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265 No locals. #19 0x00005608f7871ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834 No locals. #20 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f732a1e6680, ra_ctx=0x7f72f1bff040, ssn=ssn@entry=0x7f72f00b8340, stream=0x7f72f00b8350, p=p@entry=0x7f72efd1a600, pq=pq@entry=0x7f72f19ff048) at stream-tcp-reassemble.c:1883 opposing_stream = 0x7f72f00b83d8 reversed_before_ack_handling = <optimized out> reversed_after_ack_handling = <optimized out> dir = UPDATE_DIR_OPPOSING #21 0x00005608f7865252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502 zerowindowprobe = <optimized out> zerowindowprobe = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> ack_diff = <optimized out> sacked_size__ = <optimized out> #22 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, stt=stt@entry=0x7f72f19ff040, ssn=ssn@entry=0x7f72f00b8340, pq=0x7f72f19ff048) at stream-tcp.c:2735 No locals. #23 0x00005608f786ae31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f72f19ff048, ssn=0x7f72f00b8340, stt=0x7f72f19ff040, p=0x7f72efd1a600, tv=0x7f732a1e6680) at stream-tcp.c:4744 No locals. #24 StreamTcpPacket (tv=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, stt=stt@entry=0x7f72f19ff040, pq=0x7f72efd3d030) at stream-tcp.c:4929 ssn = 0x7f72f00b8340 error = <optimized out> #25 0x00005608f786b3df in StreamTcp (tv=tv@entry=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, data=0x7f72f19ff040, pq=pq@entry=0x7f72efd3d030) at stream-tcp.c:5270 stt = 0x7f72f19ff040 #26 0x00005608f78205a0 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f72f00d0000, p=0x7f72efd1a600, fw=0x7f72efd3d000, tv=0x7f732a1e6680) at flow-worker.c:370 x = <optimized out> x = <optimized out> #27 FlowWorker (tv=0x7f732a1e6680, p=0x7f72efd1a600, data=0x7f72efd3d000) at flow-worker.c:535 fw = 0x7f72efd3d000 detect_thread = 0x7f72f00d0000
Updated by Victor Julien about 2 years ago
- Related to Security #5700: SCRealloc of large chunk crashes Suricata added
Updated by Victor Julien about 2 years ago
- Related to Bug #4863: suricata segfault on smb packet added
Updated by Victor Julien about 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Priority changed from Normal to High
- Target version changed from TBD to 7.0.0-rc1
I can reproduce this with a (large) single flow smb pcap:
23/11/2022 -- 07:18:10 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used ================================================================= ==1417393==ERROR: AddressSanitizer: unknown-crash on address 0x800032fde800 at pc 0x5555558dd7dc bp 0x7fffeb482f50 sp 0x7fffeb482720 WRITE of size 2948595712 at 0x800032fde800 thread T1 (W#01) [Detaching after fork from child process 1417434] #0 0x5555558dd7db in __asan_memset (/home/victor/sync/devel/eidps/src/suricata+0x3897db) (BuildId: c3afc72044cbe2e282beb441b8bc569ff7102676) #1 0x555555ead853 in Grow /home/victor/devel/eidps/src/util-streaming-buffer.c:488:5 #2 0x555555eae2c7 in StreamingBufferAppendNoTrack /home/victor/devel/eidps/src/util-streaming-buffer.c:623:21 #3 0x555555e0debd in AppendData /home/victor/devel/eidps/src/util-file.c:660:9 #4 0x555555e0c4b6 in FileAppendDataDo /home/victor/devel/eidps/src/util-file.c:753:13 #5 0x555555e0c6a3 in FileAppendDataById /home/victor/devel/eidps/src/util-file.c:809:21 #6 0x55555608801a in suricata::filecontainer::FileContainer::file_append::hafa9a2b52833c43d /home/victor/devel/eidps/rust/src/filecontainer.rs #7 0x55555608801a in suricata::filetracker::FileTransferTracker::update::h0b97404b5eb1ca72 /home/victor/devel/eidps/rust/src/filetracker.rs:296:31 #8 0x55555614f1b7 in suricata::smb::files::_$LT$impl$u20$suricata..smb..smb..SMBState$GT$::filetracker_update::hbd6873bfb88eba3e /home/victor/devel/eidps/rust/src/smb/files.rs:173:30 #9 0x555556130c5c in suricata::smb::smb::SMBState::parse_tcp_data_tc::h590b53b1b881a755 /home/victor/devel/eidps/rust/src/smb/smb.rs:1683:24 #10 0x555556131db3 in rs_smb_parse_response_tcp /home/victor/devel/eidps/rust/src/smb/smb.rs:2002:5 #11 0x5555559ef81c in AppLayerParserParse /home/victor/devel/eidps/src/app-layer-parser.c:1374:30 #12 0x55555599b894 in AppLayerHandleTCPData /home/victor/devel/eidps/src/app-layer.c:770:17 #13 0x555555dd83f9 in ReassembleUpdateAppLayer /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1279:15 #14 0x555555dd657c in StreamTcpReassembleAppLayer /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1343:12 #15 0x555555dddd97 in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1920:9 #16 0x555555ddd8cd in StreamTcpReassembleHandleSegment /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1969:13 #17 0x555555daf61a in HandleEstablishedPacketToServer /home/victor/devel/eidps/src/stream-tcp.c:2383:9 #18 0x555555d77f03 in StreamTcpPacketStateEstablished /home/victor/devel/eidps/src/stream-tcp.c:2840:13 #19 0x555555d5ab2a in StreamTcpStateDispatch /home/victor/devel/eidps/src/stream-tcp.c:4874:17 #20 0x555555d517b3 in StreamTcpPacket /home/victor/devel/eidps/src/stream-tcp.c:5066:13 #21 0x555555d5bb83 in StreamTcp /home/victor/devel/eidps/src/stream-tcp.c:5399:11 #22 0x555555c6c4e1 in FlowWorkerStreamTCPUpdate /home/victor/devel/eidps/src/flow-worker.c:379:5 #23 0x555555c6b26d in FlowWorker /home/victor/devel/eidps/src/flow-worker.c:548:9 #24 0x55555592d68c in TmThreadsSlotVarRun /home/victor/devel/eidps/src/tm-threads.c:118:21 #25 0x555555d4c8ff in TmThreadsSlotProcessPkt /home/victor/devel/eidps/src/./tm-threads.h:191:17 #26 0x555555d4b8e8 in PcapFileCallbackLoop /home/victor/devel/eidps/src/source-pcap-file-helper.c:110:9 #27 0x7ffff75ebc53 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x2bc53) (BuildId: 2703e8aa153a5848770e5e1a18b14a1493204c07) #28 0x555555d4a923 in PcapFileDispatch /home/victor/devel/eidps/src/source-pcap-file-helper.c:155:17 #29 0x555555d455b5 in ReceivePcapFileLoop /home/victor/devel/eidps/src/source-pcap-file.c:180:18 #30 0x5555559399a7 in TmThreadsSlotPktAcqLoop /home/victor/devel/eidps/src/tm-threads.c:310:13 #31 0x7ffff73aeb42 in start_thread nptl/./nptl/pthread_create.c:442:8 #32 0x7ffff74409ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Updated by Victor Julien about 2 years ago
- Subject changed from Suricata crashes inside of Grow to smb: crash inside of streaming bufffer Grow()
Updated by Jeff Lucovsky about 2 years ago
- Subject changed from smb: crash inside of streaming bufffer Grow() to smb: crash inside of streaming buffer Grow()
Updated by Victor Julien about 2 years ago
- Status changed from Assigned to In Review
- Label Needs backport to 6.0 added
Updated by Victor Julien about 2 years ago
Rules | Affected |
---|---|
ET open | no |
ET pro | no |
-S /dev/null | yes |
--disable-detection | no |
at least one rule with file.data as fast_pattern | no |
ruleset w/o file.data | yes |
ruleset with file.data, but none are fast_pattern | yes |
For file.data rules it is irrelevant if they specify alert smb
, alert tcp
, alert http
, etc. As long as the there are rules that have file.data
as fast pattern there is no issue.
Updated by Victor Julien about 2 years ago
- Related to Security #5712: tcp: crafted packets lead to resource starvation added
Updated by Victor Julien about 2 years ago
- Status changed from In Review to Resolved
Updated by Victor Julien about 2 years ago
- Status changed from Resolved to Closed
Updated by Victor Julien about 2 years ago
- Label deleted (
Needs backport to 6.0)
Updated by Victor Julien almost 2 years ago
- Related to Optimization #5782: smb: set defaults for file chunk limits added
Updated by Victor Julien almost 2 years ago
- Related to Bug #5781: smb: unbounded file chunk queuing after gap added
Actions