Bug #6305
closeddrop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP)
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62147&q=label%3AProj-suricata
Reproducer is with rule
drop http any any -> any any (msg:"Malicious_mse flowbit"; sid:1; rev:1;)
./src/suricata -S drop.rules -r drop3.pcap -c suricata.yaml -k none --set stream.midstream=true
Assertion was added by commit 95bf7248e85
Files
Updated by Philippe Antoine about 1 year ago
Timeline is
- packet 1 is processed (of the TCP flow) : nothing happens (waiting for ACK...)
- packet 2 is processed
- parsing packet 1
- generating app-layer-protocol change
- In FlowWorkerStreamTCPUpdate
FlowChangeProto
is true and StreamTcpDetectLogFlush
is called, this creates pseudo packets to log the HTTP1 part of the packet, and then going on with HTTP2
- while dequeuing and processing Detect on these pseudo packets, we are setting flow action drop ie f->flags |= FLOW_ACTION_DROP;
- we then run Detect
on the second packet, but we did not have the chance to call FlowHandlePacketUpdate
which checks the flow flags to set the packet action
Updated by Philippe Antoine about 1 year ago
- Status changed from New to In Review
Updated by Victor Julien about 1 year ago
- Assignee changed from Victor Julien to Philippe Antoine
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.2 to 7.0.3
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.3 to 8.0.0-beta1
- Label Needs backport to 6.0, Needs backport to 7.0 added
Updated by OISF Ticketbot about 1 year ago
- Label deleted (
Needs backport to 6.0)
Updated by OISF Ticketbot about 1 year ago
- Label deleted (
Needs backport to 7.0)
Updated by Philippe Antoine 10 months ago
Updated by Philippe Antoine 9 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 9 months ago
- Status changed from Resolved to Closed