Project

General

Profile

Actions
Copy link

Bug #801

closed

deadlock in flowvar capture code

Added by Victor Julien over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
1.4.2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Flowvars can be captured using pcre statements, from any buffer pcre can inspect. Problem is that the pcre match code is called both with locked and unlocked flows. Locked in case of inspection of http buffers, unlocked in case of packets and stream chunks. The flowvar storage code tries to lock the flow as well, so in the case of http buffers, we deadlock.

This affects only rules that have a construct like:

pcre:"/(?P<flow_uri>.*)/Ui";

This captures the entire uri into a flowvar called "uri".

As no public ruleset uses this impact is low.

Actions
Copy link
 #1

Updated by Victor Julien over 11 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Fixed by:

commit dbe0c0eb77f400be68e24a477153c7ebf507db26
Author: Victor Julien <victor@inliniac.net>
Date:   Wed Apr 17 11:58:00 2013 +0200

    flowvar: clean up properly on signature clean up.

commit e3593ea6db6a9622362e88a75a3d63eb3d5c8aba
Author: Victor Julien <victor@inliniac.net>
Date:   Wed Apr 17 11:05:08 2013 +0200

    flowvar: add unittests for #801.

commit cfd017f3c1df82a34885b595ab54be0c00e24405
Author: Victor Julien <victor@inliniac.net>
Date:   Tue Apr 16 21:47:42 2013 +0200

    flowvar: fix deadlock with http buffers

    Bug #801

    Flowvars are set from pcre, and lock the flow when being set. However
    when HTTP buffers were inspected, flow was already locked: deadlock.

    This patch introduces a post-match list in the detection engine thread
    ctx, where store candidates are kept. Then a post-match function is used
    to finalize the storing if the rule matches.

    Solves the deadlock and brings the handling of flowvars more in line
    with flowbits and flowints.

commit dfac447969a983d880a2f0e67d7277551e520002
Author: Victor Julien <victor@inliniac.net>
Date:   Tue Apr 16 14:53:23 2013 +0200

    flowvars: update funcs to accept u16 id

    All id's are u16, but flowvar functions would only accept u8.

    Minor cleanups.

-----------------------------------------------------------------------

Summary of changes:
 src/detect-flowvar.c |  143 ++++++++++++++++++-
 src/detect-flowvar.h |    4 +
 src/detect-pcre.c    |  391 +++++++++++++++++++++++++++++++++++++++++++++++++-
 src/detect.c         |    1 +
 src/detect.h         |   13 ++
 src/flow-var.c       |   30 ++---
 src/flow-var.h       |   23 ++--
 7 files changed, 573 insertions(+), 32 deletions(-)

Actions
Copy link

Also available in: Atom PDF