Project

General

Profile

Actions

Bug #6305

closed

drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP)

Added by Philippe Antoine over 1 year ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62147&q=label%3AProj-suricata

Reproducer is with rule

drop http any any -> any any (msg:"Malicious_mse flowbit"; sid:1; rev:1;)

./src/suricata -S drop.rules -r drop3.pcap -c suricata.yaml -k none --set stream.midstream=true

Assertion was added by commit 95bf7248e85


Files

drop3.pcap (1.19 KB) drop3.pcap Philippe Antoine, 09/11/2023 08:15 AM

Subtasks 2 (0 open2 closed)

Bug #6530: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) (6.0.x backport)ClosedPhilippe AntoineActions
Bug #6538: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine about 1 year ago

This is a HTTP1->HTTP2 upgrade

Actions #2

Updated by Philippe Antoine about 1 year ago

Timeline is
- packet 1 is processed (of the TCP flow) : nothing happens (waiting for ACK...)
- packet 2 is processed
- parsing packet 1
- generating app-layer-protocol change
- In FlowWorkerStreamTCPUpdate FlowChangeProto is true and StreamTcpDetectLogFlush is called, this creates pseudo packets to log the HTTP1 part of the packet, and then going on with HTTP2
- while dequeuing and processing Detect on these pseudo packets, we are setting flow action drop ie f->flags |= FLOW_ACTION_DROP;
- we then run Detect on the second packet, but we did not have the chance to call FlowHandlePacketUpdate which checks the flow flags to set the packet action

Actions #3

Updated by Philippe Antoine about 1 year ago

  • Status changed from New to In Review
Actions #4

Updated by Victor Julien about 1 year ago

  • Assignee changed from Victor Julien to Philippe Antoine
Actions #5

Updated by Victor Julien about 1 year ago

  • Target version changed from 7.0.2 to 7.0.3
Actions #6

Updated by Victor Julien about 1 year ago

  • Target version changed from 7.0.3 to 8.0.0-beta1
  • Label Needs backport to 6.0, Needs backport to 7.0 added
Actions #7

Updated by OISF Ticketbot about 1 year ago

  • Subtask #6530 added
Actions #8

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #9

Updated by OISF Ticketbot about 1 year ago

  • Subtask #6538 added
Actions #10

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 7.0)
Actions #12

Updated by Philippe Antoine 9 months ago

  • Status changed from In Review to Resolved
Actions #13

Updated by Philippe Antoine 9 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF