Actions
Bug #5834
closedtcp/regions: list corruption
Affected Versions:
Effort:
Difficulty:
Label:
Description
suricata: util-streaming-buffer.c:959: void Validate(const StreamingBuffer *): Assertion `!(bail)' failed.
--Type <RET> for more, q to quit, c to continue without paging--
Thread 57 "W#55" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffd0728700 (LWP 1707941)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff6a91859 in __GI_abort () at abort.c:79
#2 0x00007ffff6a91729 in __assert_fail_base (fmt=0x7ffff6c27588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x126c9c0 <str> "!(bail)", file=0x126b580 <str> "util-streaming-buffer.c", line=959,
function=<optimized out>) at assert.c:92
#3 0x00007ffff6aa2fd6 in __GI___assert_fail (assertion=0x126c9c0 <str> "!(bail)", file=0x126b580 <str> "util-streaming-buffer.c", line=959,
function=0x126c860 <__PRETTY_FUNCTION__.Validate> "void Validate(const StreamingBuffer *)") at assert.c:101
#4 0x0000000000b8525e in Validate (sb=0x61200304ef88) at util-streaming-buffer.c:959
#5 0x0000000000b75c2c in ListRegions (sb=0x61200304ef88) at util-streaming-buffer.c:999
#6 0x0000000000b7b9b8 in StreamingBufferInsertAt
Introduced in rc1, no backport needed.
Files
Updated by Philippe Antoine over 1 year ago
- File repro.pcap repro.pcap added
Reproducer works with fuzzing configuration
%YAML 1.1
---
pcap-file:
checksum-checks: no
stream:
checksum-validation: no
midstream: true
outputs:
- fast:
enabled: yes
filename: /dev/null
- eve-log:
enabled: yes
filetype: regular
filename: /dev/null
xff:
enabled: yes
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types:
- alert:
payload: yes
payload-printable: yes
packet: yes
metadata: yes
http-body: yes
http-body-printable: yes
tagged-packets: yes
- anomaly:
enabled: yes
types:
decode: yes
stream: yes
applayer: yes
packethdr: yes
- http:
extended: yes
dump-all-headers: both
- dns
- tls:
extended: yes
session-resumption: yes
- files
- smtp:
extended: yes
- dnp3
- ftp
- rdp
- nfs
- smb
- tftp
- ike
- krb5
- snmp
- rfb
- sip
- dhcp:
enabled: yes
extended: yes
- ssh
- pgsql
- flow
- netflow
- metadata
- http-log:
enabled: yes
filename: /dev/null
extended: yes
- tls-log:
enabled: yes
filename: /dev/null
extended: yes
- file-store:
version: 2
enabled: yes
force-filestore: yes
app-layer:
protocols:
rdp:
enabled: yes
template:
enabled: yes
template-rust:
enabled: yes
modbus:
enabled: yes
detection-ports:
dp: 502
dnp3:
enabled: yes
detection-ports:
dp: 20000
enip:
enabled: yes
detection-ports:
dp: 44818
sip:
enabled: yes
ssh:
enabled: yes
hassh: yes
mqtt:
enabled: yes
pgsql:
enabled: yes
http2:
enabled: yes
quic:
enabled: yes
./src/suricata -c fuzz.yaml -k none -r repro.pcap gets me to Assertion failed: (!(bail)), function Validate, file util-streaming-buffer.c, line 959.
Updated by Philippe Antoine over 1 year ago
Found by oss-fuzz as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55574&q=label%3AProj-suricata
Updated by Victor Julien over 1 year ago
- Status changed from In Progress to Closed
Updated by Philippe Antoine over 1 year ago
- File repro.pcap repro.pcap added
- Status changed from Closed to Assigned
oss-fuzz issue is still open
Still reproducing locally with config file
%YAML 1.1 --- stream: midstream: true
and attached file
suricata -r repro.pcap -c src/tests/fuzz/conf.yaml -k none
Updated by Philippe Antoine over 1 year ago
- Priority changed from Normal to High
@Victor Julien are you in this one ?
Updated by Victor Julien over 1 year ago
- Related to Bug #6041: ASSERT: !(sb->region.buf_offset != 0) added
Updated by Victor Julien over 1 year ago
- Related to Bug #6066: Memory Corruption in util-streaming-buffer added
Updated by Victor Julien over 1 year ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal
Actions