Project

General

Profile

Actions
Copy link

Bug #989

closed

Segfault in HTPStateGetTxCnt after a few minutes

Added by Chris Wakelin about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
2.0beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

I tried Suricata git - 2.0dev (rev 2f4e11b) - on the night of the 30th September on one of our networks.

Unfortunately, Suricata kept segfaulting after a few minutes:

#0  0x0000000000424674 in HTPStateGetTxCnt (alstate=0x7f38ab506e60)
    at app-layer-htp.c:2378
#0  0x0000000000424674 in HTPStateGetTxCnt (alstate=0x7f38ab506e60)
    at app-layer-htp.c:2378
No locals.
#1  0x0000000000495565 in DeStateFlowHasInspectableState (f=0x465e480, 
    alproto=1, alversion=<optimised out>, flags=4 '\004')
    at detect-engine-state.c:220
        r = 0
#2  0x000000000046371f in SigMatchSignatures (th_v=0xbed9ee0, 
    de_ctx=0x4d17000, det_ctx=0x7f38d03dd000, p=0x2b4e300) at detect.c:1280
        has_state = <optimised out>
        sms_runflags = 1 '\001'
        alert_flags = 0 '\000'
        alproto = 1
        idx = <optimised out>
        flags = 4 '\004'
        alstate = 0x7f38ab506e60
        smsg = 0x0
        s = 0x0
        sm = 0x0
        alversion = 2
        reset_de_state = <optimised out>
        alerts = 0
        i = <optimised out>
        app_decoder_events = 0
        mask = <optimised out>
#3  0x00000000004642e5 in Detect (data=<optimised out>, p=<optimised out>, 
    tv=<optimised out>, pq=<optimised out>, postpq=<optimised out>)
    at detect.c:1697
        det_ctx = <optimised out>
        de_ctx = <optimised out>
        r = <optimised out>
#4  Detect (tv=<optimised out>, p=<optimised out>, data=<optimised out>, 
    pq=<optimised out>, postpq=<optimised out>) at detect.c:1669
No locals.
#5  0x000000000051e868 in TmThreadsSlotVarRun (tv=0xbed9ee0, p=0x2b4e300, 
    slot=<optimised out>) at tm-threads.c:559
        SlotFunc = <optimised out>
        r = <optimised out>
        s = 0x7f39111853c0
        extra_p = <optimised out>
#6  0x00000000005086fa in TmThreadsSlotProcessPkt (p=0x2b4e300, 
    s=0x7f3911185640, tv=0xbed9ee0) at tm-threads.h:142
        r = TM_ECODE_OK
#7  ReceivePfringLoop (tv=0xbed9ee0, data=0x7f3cd6b66a80, 
    slot=<optimised out>) at source-pfring.c:331
...

I updated again on 1st October - 2.0dev (rev c5cd356) - and tried it on a large pcap I had, and it segfaulted again :-

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000424b44 in HTPStateGetTxCnt (alstate=0x7fc374cf92c0) at app-layer-htp.c:2378
2378        return (uint64_t)htp_list_size(((htp_tx_t *)alstate)->conn->transactions);
#0  0x0000000000424b44 in HTPStateGetTxCnt (alstate=0x7fc374cf92c0) at app-layer-htp.c:2378
No locals.
#1  0x0000000000496965 in DeStateFlowHasInspectableState (f=0x36e0450, alproto=1, alversion=<optimised out>, flags=4 '\004') at detect-engine-state.c:220
        r = 0
#2  0x00000000004643df in SigMatchSignatures (th_v=0x4cd88d0, de_ctx=0x3cf1000, det_ctx=0x7fc3980069a0, p=0x17222c0) at detect.c:1280
        has_state = <optimised out>
        sms_runflags = 1 '\001'
        alert_flags = 0 '\000'
        alproto = 1
        smatch = 0
        idx = <optimised out>
        flags = 4 '\004'
        alstate = 0x7fc374cf92c0
        smsg = 0x0
        s = 0x0
        sm = 0x0
        alversion = 2
        reset_de_state = <optimised out>
        alerts = 0
        i = <optimised out>
        app_decoder_events = 0
        mask = <optimised out>
        __FUNCTION__ = "SigMatchSignatures" 
#3  0x0000000000465645 in Detect (data=<optimised out>, p=<optimised out>, tv=<optimised out>, pq=<optimised out>, postpq=<optimised out>) at detect.c:1697
        det_ctx = <optimised out>
        de_ctx = <optimised out>
        r = <optimised out>
#4  Detect (tv=<optimised out>, p=<optimised out>, data=<optimised out>, pq=<optimised out>, postpq=<optimised out>) at detect.c:1669
No locals.
#5  0x00000000005204ec in TmThreadsSlotVarRun (tv=0x4cd88d0, p=0x17222c0, slot=<optimised out>) at tm-threads.c:559
        SlotFunc = 0x4655f0 <Detect>
        r = <optimised out>
        s = 0x3d30cb0
        extra_p = <optimised out>
#6  0x00000000005086fc in TmThreadsSlotProcessPkt (p=0x17222c0, s=0x3d30a30, tv=0x4cd88d0) at tm-threads.h:142
        r = TM_ECODE_OK
#7  PcapFileCallbackLoop (user=0x7fc3980008f0 "<B6>7*", h=<optimised out>, pkt=0x7fc398000e90 "") at source-pcap-file.c:154
        ptv = 0x7fc3980008f0
        p = 0x17222c0
#8  0x00007fc3a11cfc9e in pcap_offline_read () from /usr/local/lib/libpcap.so.1
...

I managed to narrow it down to a particular pair of hosts and have sent a pcap that causes it to
crash, together with the full backtraces for both kinds of segfault privately to some of the developers (unfortunately I can't share them publicly).

In both case a line similar to

[15847] 2/10/2013 -- 10:16:23 - (app-layer-htp.c:720) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - HTP state has no connp

appeared in suricata.log (i.e. incomplete - I guess it didn't finish writing the line!)

It looks like it's to do with the recent app-layer updates; the git version from the evening of 27th September - 2.0dev (rev 8080494) - didn't crash.

I hadn't got the new app-layer suricata.yaml entries in, but adding them doesn't seem to help.

Actions
Copy link
 #1

Updated by Anoop Saldanha about 11 years ago

  • Assignee set to Anoop Saldanha
  • Target version set to 2.0beta2

A fix is already going through some fuzz. Should be out shortly.

Actions
Copy link
 #2

Updated by Heinz Hartfiel about 11 years ago

Same Issue with Suricata version 2.0dev (rev 51c2e1e) on Ubuntu 12.04.3 LTS
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK

root@xxxxxxx:/etc/suricata# suricata --pfring-int=eth1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
[32616] 10/10/2013 -- 08:53:18 - (suricata.c:926) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev 51c2e1e)
[32616] 10/10/2013 -- 08:53:18 - (app-layer-parser.c:2194) <Error> (AppLayerInsertNewProbingParser) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Duplicate pp registered
[32616] 10/10/2013 -- 08:53:30 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/virus.rules
[32616] 10/10/2013 -- 08:53:30 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/icmp.rules
10 Oct 08:54:00 (process:32616) INFO: Connecting to x.x.x.x.:4690 prelude Manager server.
10 Oct 08:54:00 (process:32616) INFO: TLS authentication succeed with Prelude Manager.
[32616] 10/10/2013 -- 08:54:00 - (tm-threads.c:2192) <Notice> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management threads initialized, engine started.
[32620] 10/10/2013 -- 08:54:36 - (app-layer-htp.c:763) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - HTP state has no connp
Segmentation fault (core dumped)

64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.7, linked against LibHTP v0.5.7
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
  NFQueue support:                         no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     no
  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      no
  Prelude support:                         yes
  PCRE jit:                                no
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Suricatasc install:                      yes
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no

Generic build parameters:
  Installation prefix (--prefix):          /usr/local
  Configuration directory (--sysconfdir):  /usr/local/etc/suricata/
  Log directory (--localstatedir) :        /usr/local/var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

Actions
Copy link
 #3

Updated by Anoop Saldanha about 11 years ago

Can you check the latest master? The fix is from commits post the revision you previously specified.

Actions
Copy link
 #5

Updated by Chris Wakelin about 11 years ago

Looks good - I've been running rev a26243a since yesterday afternoon, monitoring ~1Gb/s with no crashes (and slow memory leak also seems much better)

Actions
Copy link
 #6

Updated by Heinz Hartfiel about 11 years ago

Looks good on my side also - Rev a26243a is running without a problem since 4 hours.

Actions
Copy link
 #7

Updated by Anoop Saldanha about 11 years ago

  • Status changed from New to Closed

Thanks for the review guys. Closing bug.

Actions
Copy link

Also available in: Atom PDF