Project

General

Profile

Actions

Bug #6957

closed

Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size);

Added by Jeff Lucovsky 9 months ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Creating a new issue for the problem first seen in issue https://redmine.openinfosecfoundation.org/issues/6835

Recurring crash with the same stack:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f518f79a71e in __GI_abort () at abort.c:79
#2  0x00007f518f791dfa in __assert_fail_base (fmt=0x7f518f8ec508 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x559a7ac87610 "!(id <= 0 || id > (int)thread_store.threads_size)", file=file@entry=0x559a7ac87689 "tm-threads.c",
    line=line@entry=2306, function=function@entry=0x559a7ac877d0 <__PRETTY_FUNCTION__.0> "TmThreadsInjectFlowById") at assert.c:92
#3  0x00007f518f791e72 in __GI___assert_fail (assertion=assertion@entry=0x559a7ac87610 "!(id <= 0 || id > (int)thread_store.threads_size)",
    file=file@entry=0x559a7ac87689 "tm-threads.c", line=line@entry=2306,
    function=function@entry=0x559a7ac877d0 <__PRETTY_FUNCTION__.0> "TmThreadsInjectFlowById") at assert.c:101
#4  0x0000559a7a67af52 in TmThreadsInjectFlowById (f=<optimized out>, id=<optimized out>) at tm-threads.c:2306
#5  0x0000559a7a723aba in FlowForceReassemblyForFlow (f=<optimized out>) at flow-timeout.c:358
#6  0x0000559a7a7206c8 in ProcessAsideQueue (td=td@entry=0x7f50d5e00030, counters=counters@entry=0x7f50d6afcab0) at flow-manager.c:280
#7  0x0000559a7a7210f2 in FlowTimeoutHash (td=td@entry=0x7f50d5e00030, ts=..., ts@entry=..., hash_min=<optimized out>, hash_max=<optimized out>,
    counters=counters@entry=0x7f50d6afcab0) at flow-manager.c:459
#8  0x0000559a7a721a2c in FlowTimeoutHashInChunks (pos=<synthetic pointer>, rows=3601844912, counters=0x7f50d6afcab0, hash_max=<optimized out>,
    hash_min=<optimized out>, ts=..., td=0x7f50d5e00030) at flow-manager.c:499
#9  FlowManager (th_v=0x7f515d47bd80, thread_data=<optimized out>) at flow-manager.c:829
#10 0x0000559a7a678eb3 in TmThreadsManagement (td=0x7f515d47bd80) at tm-threads.c:567
#11 0x00007f518f2f2f3e in start_thread (arg=0x7f50d6aff640) at pthread_create.c:463
#12 0x00007f518f85c14f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Values from the flow structure:

(gdb) p *f
$15 = {src = {address = {address_un_data32 = {950402176, 0, 0, 0}, address_un_data16 = {64640, 14501, 0, 0, 0, 0, 0, 0},
      address_un_data8 = "\200\374\245\070", '\000' <repeats 11 times>}}, dst = {address = {address_un_data32 = {1973319267, 0, 0, 0}, address_un_data16 = {
        30307, 30110, 0, 0, 0, 0, 0, 0}, address_un_data8 = "cv\236u", '\000' <repeats 11 times>}}, {sp = 443, icmp_s = {type = 187 '\273',
      code = 1 '\001'}, esp = {spi = 443}}, {dp = 53408, icmp_d = {type = 160 '\240', code = 208 '\320'}}, proto = 6 '\006', recursion_level = 0 '\000',
  vlan_id = {3882, 0, 0}, vlan_idx = 1 '\001', {{ffr_ts = 1 '\001', ffr_tc = 1 '\001'}, ffr = 17 '\021'}, timeout_at = 1712769999, thread_id = {0, 7},
  next = 0x0, livedev = 0x0, flow_hash = 83288218, timeout_policy = 5, lastts = {secs = 1712769994, usecs = 260510}, flow_state = 0, tenant_id = 0,
  probing_parser_toserver_alproto_masks = 0, probing_parser_toclient_alproto_masks = 0, flags = 68157977, file_flags = 2730, protodetect_dp = 0,
  parent_id = 0, m = {__data = {__lock = 1, __count = 0, __owner = 15910, __nusers = 1, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0,
        __next = 0x0}}, __size = "\001\000\000\000\000\000\000\000&>\000\000\001", '\000' <repeats 26 times>, __align = 1}, protoctx = 0x7ff8ce872440,
  protomap = 0 '\000', flow_end_flags = 16 '\020', alproto = 0, alproto_ts = 0, alproto_tc = 0, alproto_orig = 0, alproto_expect = 0, de_ctx_version = 99,
  min_ttl_toserver = 48 '0', max_ttl_toserver = 255 '\377', min_ttl_toclient = 107 'k', max_ttl_toclient = 64 '@', alparser = 0x0, alstate = 0x0,
  sgh_toclient = 0x7ffbaba7adf0, sgh_toserver = 0x0, flowvar = 0x0, fb = 0x0, startts = {secs = 1712769991, usecs = 170173}, todstpktcnt = 1,
  tosrcpktcnt = 1, todstbytecnt = 102, tosrcbytecnt = 74}
(gdb) print *(TcpSession *)(f->protoctx)
$16 = {pool_id = 6, state = 3 '\003', pstate = 0 '\000', queue_len = 0 '\000', data_first_seen_dir = 0 '\000', tcp_packet_flags = 18 '\022', flags = 1029,
  reassembly_depth = 1048576, server = {flags = 0, wscale = 14, os_policy = 0 '\000', tcp_flags = 18 '\022', isn = 3159928303, next_seq = 3159928304,
    last_ack = 3159928303, next_win = 3159942103, window = 13800, last_ts = 0, last_pkt_ts = 0, base_seq = 3159928304, app_progress_rel = 0,
    raw_progress_rel = 0, log_progress_rel = 0, min_inspect_depth = 0, data_required = 0, sb = {region = {buf = 0x0, buf_size = 0, buf_offset = 0,
        stream_offset = 0, next = 0x0}, sbb_tree = {rbh_root = 0x0}, head = 0x0, sbb_size = 0, regions = 1, max_regions = 1}, seg_tree = {rbh_root = 0x0},
    segs_right_edge = 0, sack_size = 0, sack_tree = {rbh_root = 0x0}}, client = {flags = 0, wscale = 2, os_policy = 0 '\000', tcp_flags = 0 '\000',
    isn = 3674734601, next_seq = 3674734602, last_ack = 3674734602, next_win = 0, window = 0, last_ts = 0, last_pkt_ts = 0, base_seq = 3674734602,
    app_progress_rel = 0, raw_progress_rel = 0, log_progress_rel = 0, min_inspect_depth = 0, data_required = 0, sb = {region = {buf = 0x0, buf_size = 0,
        buf_offset = 0, stream_offset = 0, next = 0x0}, sbb_tree = {rbh_root = 0x0}, head = 0x0, sbb_size = 0, regions = 1, max_regions = 1}, seg_tree = {
      rbh_root = 0x0}, segs_right_edge = 0, sack_size = 0, sack_tree = {rbh_root = 0x0}}, queue = 0x0}
(gdb) p/t $2->flags
$5 = 100 0000 0101
0 streamtcp_flag_midstream
2 streamtcp_flag_midstream_synack
10  streamtcp_flag_sackok
/* per flow flags */
(gdb) p/t f->flags
$1 = 100000100000000001000011001
0 flow_to_src seen
3 flow_toserver_iponly_set
4 flow_toclient_iponly_set
9 flow_sgh_toclient
20 flow_ipv4
26 flow_dir_reversed

Note the flow's thread_id slot: thread_id = {0, 7} and the byte/packet counts: todstpktcnt = 1,
tosrcpktcnt = 1, todstbytecnt = 102, tosrcbytecnt = 74


Subtasks 1 (0 open1 closed)

Bug #6958: Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size); (7.0.x backport)ClosedJeff LucovskyActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #6835: BUG_ON triggered from TmThreadsInjectFlowByIdClosedJeff LucovskyActions
Actions

Also available in: Atom PDF