[Oisf-devel] Suricata 1.2.1 + OpenBSD 5.1 = segmentation fault

Mon May 21 07:00:17 UTC 2012

Hi Anoop,
I run the same file I sent you again on my OpenBSD with Suricata and got
a core dump:

...
ular) initialized: http.log
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:334) <Info>
(StreamTcpInitConfig) -- stream "max-sessions": 262144
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:346) <Info>
(StreamTcpInitConfig) -- stream "prealloc-sessions": 32768
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:362) <Info>
(StreamTcpInitConfig) -- stream "memcap": 33554432
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:368) <Info>
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:374) <Info>
(StreamTcpInitConfig) -- stream "async-oneside": disabled
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:391) <Info>
(StreamTcpInitConfig) -- stream "checksum-validation": enabled
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:401) <Info>
(StreamTcpInitConfig) -- stream."inline": disabled
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:419) <Info>
(StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:437) <Info>
(StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:478) <Info>
(StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2560
[10304] 21/5/2012 -- 08:55:28 - (stream-tcp.c:480) <Info>
(StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2560
[10304] 21/5/2012 -- 08:55:28 - (source-pcap-file.c:216) <Info>
(ReceivePcapFileThreadInit) -- reading pcap file suricata_crash_dump.pcap
[10304] 21/5/2012 -- 08:55:28 - (tm-threads.c:1858) <Info>
(TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 1
management threads initialized, engine started.
[10304] 21/5/2012 -- 08:55:28 - (source-pcap-file.c:193) <Info>
(ReceivePcapFileLoop) -- pcap file end of file reached (pcap err code 0)
Segmentation fault (core dumped)

Doing this on The Linux CentOS 5.8 machine with Suricata 1.2 all seems OK:

...
21/5/2012 -- 08:54:25 - <Info> - stream.reassembly "memcap": 67108864
21/5/2012 -- 08:54:25 - <Info> - stream.reassembly "depth": 1048576
21/5/2012 -- 08:54:25 - <Info> - stream.reassembly
"toserver_chunk_size": 2560
21/5/2012 -- 08:54:25 - <Info> - stream.reassembly
"toclient_chunk_size": 2560
21/5/2012 -- 08:54:25 - <Info> - reading pcap file suricata_crash_dump.pcap
21/5/2012 -- 08:54:25 - <Info> - all 5 packet processing threads, 1
management threads initialized, engine started.
21/5/2012 -- 08:54:25 - <Info> - pcap file end of file reached (pcap err
code 0)
21/5/2012 -- 08:54:25 - <Info> - stopping engine, waiting for
outstanding packets
21/5/2012 -- 08:54:25 - <Info> - all packets processed by threads,
stopping engine
21/5/2012 -- 08:54:25 - <Info> - 0 new flows, 0 established flows were
timed out, 0 flows in closed state
21/5/2012 -- 08:54:25 - <Info> - time elapsed 0.213s
21/5/2012 -- 08:54:25 - <Info> - Pcap-file module read 117 packets,
108788 bytes
21/5/2012 -- 08:54:25 - <Info> - Stream TCP processed 117 TCP packets
21/5/2012 -- 08:54:25 - <Info> - Fast log output wrote 0 alerts
21/5/2012 -- 08:54:25 - <Info> - Alert unified2 module wrote 0 alerts
21/5/2012 -- 08:54:25 - <Info> - Max memuse of the stream reassembly
engine 11292544 (in use 0)
21/5/2012 -- 08:54:25 - <Info> - Max memuse of stream engine 6029312 (in
use 0)
21/5/2012 -- 08:54:25 - <Info> - cleaning up signature grouping
structure... complete

So this seems to be somehow OpenBSD related. Are you able to test on
OpenBSD or are there any OpenBSD developers?

Regards
Henri

-- 
Henri Wahl

IT Department
Leibniz-Institut für Festkörper- u.
Werkstoffforschung Dresden

tel. (03 51) 46 59 - 797
email: h.wahl at ifw-dresden.de
http://www.ifw-dresden.de

Nagios status monitor for your desktop:
http://nagstamon.ifw-dresden.de

IFW Dresden e.V., Helmholtzstraße 20, D-01069 Dresden
VR Dresden Nr. 1369
Vorstand: Prof. Dr. Ludwig Schultz, Dr. h.c. Dipl.-Finw. Rolf Pfrengle

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4719 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120521/873584a3/attachment.bin>