Project

General

Profile

Actions
Copy link

Bug #989

closed

Segfault in HTPStateGetTxCnt after a few minutes

Added by Chris Wakelin about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
2.0beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

I tried Suricata git - 2.0dev (rev 2f4e11b) - on the night of the 30th September on one of our networks.

Unfortunately, Suricata kept segfaulting after a few minutes:

#0  0x0000000000424674 in HTPStateGetTxCnt (alstate=0x7f38ab506e60)
    at app-layer-htp.c:2378
#0  0x0000000000424674 in HTPStateGetTxCnt (alstate=0x7f38ab506e60)
    at app-layer-htp.c:2378
No locals.
#1  0x0000000000495565 in DeStateFlowHasInspectableState (f=0x465e480, 
    alproto=1, alversion=<optimised out>, flags=4 '\004')
    at detect-engine-state.c:220
        r = 0
#2  0x000000000046371f in SigMatchSignatures (th_v=0xbed9ee0, 
    de_ctx=0x4d17000, det_ctx=0x7f38d03dd000, p=0x2b4e300) at detect.c:1280
        has_state = <optimised out>
        sms_runflags = 1 '\001'
        alert_flags = 0 '\000'
        alproto = 1
        idx = <optimised out>
        flags = 4 '\004'
        alstate = 0x7f38ab506e60
        smsg = 0x0
        s = 0x0
        sm = 0x0
        alversion = 2
        reset_de_state = <optimised out>
        alerts = 0
        i = <optimised out>
        app_decoder_events = 0
        mask = <optimised out>
#3  0x00000000004642e5 in Detect (data=<optimised out>, p=<optimised out>, 
    tv=<optimised out>, pq=<optimised out>, postpq=<optimised out>)
    at detect.c:1697
        det_ctx = <optimised out>
        de_ctx = <optimised out>
        r = <optimised out>
#4  Detect (tv=<optimised out>, p=<optimised out>, data=<optimised out>, 
    pq=<optimised out>, postpq=<optimised out>) at detect.c:1669
No locals.
#5  0x000000000051e868 in TmThreadsSlotVarRun (tv=0xbed9ee0, p=0x2b4e300, 
    slot=<optimised out>) at tm-threads.c:559
        SlotFunc = <optimised out>
        r = <optimised out>
        s = 0x7f39111853c0
        extra_p = <optimised out>
#6  0x00000000005086fa in TmThreadsSlotProcessPkt (p=0x2b4e300, 
    s=0x7f3911185640, tv=0xbed9ee0) at tm-threads.h:142
        r = TM_ECODE_OK
#7  ReceivePfringLoop (tv=0xbed9ee0, data=0x7f3cd6b66a80, 
    slot=<optimised out>) at source-pfring.c:331
...

I updated again on 1st October - 2.0dev (rev c5cd356) - and tried it on a large pcap I had, and it segfaulted again :-

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000424b44 in HTPStateGetTxCnt (alstate=0x7fc374cf92c0) at app-layer-htp.c:2378
2378        return (uint64_t)htp_list_size(((htp_tx_t *)alstate)->conn->transactions);
#0  0x0000000000424b44 in HTPStateGetTxCnt (alstate=0x7fc374cf92c0) at app-layer-htp.c:2378
No locals.
#1  0x0000000000496965 in DeStateFlowHasInspectableState (f=0x36e0450, alproto=1, alversion=<optimised out>, flags=4 '\004') at detect-engine-state.c:220
        r = 0
#2  0x00000000004643df in SigMatchSignatures (th_v=0x4cd88d0, de_ctx=0x3cf1000, det_ctx=0x7fc3980069a0, p=0x17222c0) at detect.c:1280
        has_state = <optimised out>
        sms_runflags = 1 '\001'
        alert_flags = 0 '\000'
        alproto = 1
        smatch = 0
        idx = <optimised out>
        flags = 4 '\004'
        alstate = 0x7fc374cf92c0
        smsg = 0x0
        s = 0x0
        sm = 0x0
        alversion = 2
        reset_de_state = <optimised out>
        alerts = 0
        i = <optimised out>
        app_decoder_events = 0
        mask = <optimised out>
        __FUNCTION__ = "SigMatchSignatures" 
#3  0x0000000000465645 in Detect (data=<optimised out>, p=<optimised out>, tv=<optimised out>, pq=<optimised out>, postpq=<optimised out>) at detect.c:1697
        det_ctx = <optimised out>
        de_ctx = <optimised out>
        r = <optimised out>
#4  Detect (tv=<optimised out>, p=<optimised out>, data=<optimised out>, pq=<optimised out>, postpq=<optimised out>) at detect.c:1669
No locals.
#5  0x00000000005204ec in TmThreadsSlotVarRun (tv=0x4cd88d0, p=0x17222c0, slot=<optimised out>) at tm-threads.c:559
        SlotFunc = 0x4655f0 <Detect>
        r = <optimised out>
        s = 0x3d30cb0
        extra_p = <optimised out>
#6  0x00000000005086fc in TmThreadsSlotProcessPkt (p=0x17222c0, s=0x3d30a30, tv=0x4cd88d0) at tm-threads.h:142
        r = TM_ECODE_OK
#7  PcapFileCallbackLoop (user=0x7fc3980008f0 "<B6>7*", h=<optimised out>, pkt=0x7fc398000e90 "") at source-pcap-file.c:154
        ptv = 0x7fc3980008f0
        p = 0x17222c0
#8  0x00007fc3a11cfc9e in pcap_offline_read () from /usr/local/lib/libpcap.so.1
...

I managed to narrow it down to a particular pair of hosts and have sent a pcap that causes it to
crash, together with the full backtraces for both kinds of segfault privately to some of the developers (unfortunately I can't share them publicly).

In both case a line similar to

[15847] 2/10/2013 -- 10:16:23 - (app-layer-htp.c:720) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - HTP state has no connp

appeared in suricata.log (i.e. incomplete - I guess it didn't finish writing the line!)

It looks like it's to do with the recent app-layer updates; the git version from the evening of 27th September - 2.0dev (rev 8080494) - didn't crash.

I hadn't got the new app-layer suricata.yaml entries in, but adding them doesn't seem to help.

Actions
Copy link

Also available in: Atom PDF