Bug #69
closeddouble free inside of DCERPCStateFree
Description
ulimit -c unlimited; src/suricata -c suricata.yaml -r ./3327-12-5.pcap-fuzz-2010-01-24-07-57-36 -l ./
Core was generated by `src/suricata -c suricata.yaml -r ./3327-12-5.pcap-fuzz-2010-01-24-07-57-36 -l .'.
Program terminated with signal 6, Aborted.
#0 0x00007fe2d43ab4b5 in *GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
in ../nptl/sysdeps/unix/sysv/linux/raise.c
#0 0x00007fe2d43ab4b5 in *_GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
pid = <value optimized out>
selftid = <value optimized out>
#1 0x00007fe2d43aef50 in *_GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0x30000000a,
sa_sigaction = 0x30000000a}, sa_mask = {__val = {
140733579730560,
140733579730416,
140733579730608,
140733579740612,
12,
140612201012639,
3,
140733579730618,
6,
140612201012643
,
2,
140733579730606,
2,
140612201003761,
1,
140612201012639}},
sa_flags = 3,
sa_restorer = 0x7fff17071eb4}
sigs = {__val = {
32,
0 <repeats 15 times>}}
#2 0x00007fe2d43e3c97 in _libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
ap = {{
gp_offset = 40,
fp_offset = 48, overflow_arg_area = 0x7fff17072820,
reg_save_area = 0x7fff17072730}}
ap_copy = {{
gp_offset = 16,
fp_offset = 48, overflow_arg_area = 0x7fff17072820,
reg_save_area = 0x7fff17072730}}
fd = 3
on_2 = <value optimized out>
list = <value optimized out>
nlist = 0
cp = <value optimized out>
written = false
#3 0x00007fe2d43eddd6 in malloc_printerr (action=3, str=0x7fe2d44af748 "double free or corruption (fasttop)", ptr=<value optimized out>) at malloc.c:6217
buf = "00007fe2ce4a70e0"
cp = 0x0
#4 0x00007fe2d43f274c in *_GI_libc_free (mem=<value optimized out>) at malloc.c:3716
ar_ptr = 0x7fe2cc000020
p = 0x6
#5 0x00000000004a4e13 in DCERPCStateFree (s=0x7fe2ce4a6ed0) at app-layer-dcerpc.c:1198
sstate = 0x7fe2ce4a6ed0
item = 0x7fe2ce4a70e0
#6 0x000000000049accd in AppLayerParserCleanupState (ssn=0x7fe2ccd17090) at app-layer-parser.c:876
p = 0x6f2580
#7 0x0000000000481fbd in StreamTcpSessionClear (ssnptr=0x7fe2ccd17090) at stream-tcp.c:133
ssn = 0x7fe2ccd17090
#8 0x0000000000413fd1 in FlowClearMemory (f=0xfc40c0, proto_map=1 ' ') at flow.c:745
No locals.
#9 0x00000000004139da in FlowShutdown () at flow.c:561
proto_map = 1 ' '
f = 0xfc40c0
i = 1
#10 0x000000000040562f in main (argc=9, argv=0x7fff17073088) at suricata.c:750
opt = -1
mode = 2
pcap_file = 0x7fff170745e5 "./3327-12-5.pcap-fuzz-2010-01-24-07-57-36"
pcap_dev = 0x0
pfring_dev = 0x0
sig_file = 0x7fff17074618 "/home/coz/downloads/current-all-blah.rules"
nfq_id = 0
conf_filename = 0x7fff170745d4 "suricata.yaml"
dump_config = 0
list_unittests = 0
daemon = 0
log_dir = 0xaea1a0 "./"
buf = {
st_dev = 2055,
st_ino = 28704770,
st_nlink = 7,
st_mode = 16877,
st_uid = 1000,
st_gid = 1000,
pad0 = 0,
st_rdev = 0,
st_size = 12288,
st_blksize = 4096,
st_blocks = 24, st_atim = {
tv_sec = 1264341456,
tv_nsec = 0},
st_mtim = {
tv_sec = 1264341456,
tv_nsec = 0}, st_ctim = {
tv_sec = 1264341456,
tv_nsec = 0}, __unused = {
0,
0,
0}}
long_opts = {{
name = 0x4a9cc8 "dump-config",
has_arg = 0, flag = 0x7fff17072b5c,
val = 1}, {
name = 0x4a9cd4 "pfring-int",
has_arg = 1, flag = 0x0,
val = 0}, {
name = 0x4a9cdf "pfring-clusterid",
has_arg = 1, flag = 0x0,
val = 0}, {
name = 0x4a9cf0 "unittest-filter",
has_arg = 1, flag = 0x0,
val = 85}, {
name = 0x4a9d00 "list-unittests",
has_arg = 0, flag = 0x7fff17072b58,
val = 1}, {
name = 0x4a9d0f "init-errors-fatal",
has_arg = 0,
flag = 0x0,
val = 0}, {
name = 0x4a9d21 "fatal-unittests",
has_arg = 0, flag = 0x0,
val = 0}, {name = 0x0,
has_arg = 0, flag = 0x0,
val = 0}}
option_index = 0
short_opts = "c:Dhi:l:q:r:us:U:V"
__FUNCTION = "main"
c = 255 '\377'
i = 50
de_ctx = 0x11e6ec0
start_time = {
tv_sec = 1264341543,
tv_usec = 691800}
Files