Project

General

Profile

Bug #3349

Updated by Victor Julien almost 5 years ago

Suricata 5.0 crashes while rule reload and performing flow detect. 

 Backtrace 
 <pre> 
 #0    0x00007fb6ce86e337 in raise () from /lib64/libc.so.6 
 #1    0x00007fb6ce86fa28 in abort () from /lib64/libc.so.6 
 #2    0x00007fb6ce8b0e87 in __libc_message () from /lib64/libc.so.6 
 #3    0x00007fb6ce8b9679 in _int_free () from /lib64/libc.so.6 
 #4    0x00000000004aa43f in DetectEngineThreadCtxFree (det_ctx=0x7fb6a4a96ce0) at detect-engine.c:2559 
 #5    0x00000000004ad8f7 in DetectEngineThreadCtxDeinit (tv=<optimized out>, data=0x7fb6a4a96ce0) at detect-engine.c:2604 
 #6    0x00000000004ae090 in DetectEngineReloadThreads (new_de_ctx=new_de_ctx@entry=0xa8dcf20) at detect-engine.c:1543 
 #7    0x00000000004b1890 in DetectEngineReload (suri=suri@entry=0xa81100 <suricata>) at detect-engine.c:3681 
 #8    0x000000000041fd55 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2860 
 #9    main (argc=<optimized out>, argv=<optimized out>) at suricata.c:3021 
 </pre> 

 reason: 
 <pre> 
 InspectionBuffer *InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id) 
 { 
     InspectionBuffer *buffer = &det_ctx->inspect.buffers[list_id]; 
     if (buffer->inspect == NULL) { 
         det_ctx->inspect.to_clear_queue[det_ctx->inspect.to_clear_idx++] = list_id; 
     } 
     return buffer; 
 } 
 </pre> 
 The size of det_ctx->inspect.to_clear_idx will exceed det_ctx->inspect.buffers_size during run, resulting in memory out of bounds.

Back