[Oisf-devel] patch for (my) ticket #164 content+offset+depth

rmkml rmkml at free.fr
Tue May 25 17:53:38 UTC 2010 

Hi Victor,
thx again for your great work+support on (open source) suricata project!
Yes it's work with my example/simple pcap, but I have my first seg fault with git today (dab679889cf3a915edc382e97f0a6c13fa277eca)
ok start gdb:
export LD_LIBRARY_PATH=/home/oisf_suricata_ids/yaml-0.1.3/src/.libs:/home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/libhtp/htp/.libs:$LD_LIBRARY_PATH
gdb /home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/src/.libs/suricata
(gdb) r -c /home/suricata_ids_oisf/etc/suricata.yaml -r /mnt/testany2.pcap
Starting program: /home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/src/.libs/suricata -c /home/suricata_ids_oisf/etc/suricata.yaml -r /mnt/testany2.pcap
[Thread debugging using libthread_db enabled]
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216702784 (LWP 19696)]
DetectDepthSetup (de_ctx=0x86e36f8, s=0x9d0d718, depthstr=0x9d0b6f0 "0")
     at detect-depth.c:88
88                      cd->depth = cd->offset + depth;
(gdb) bt full
#0  DetectDepthSetup (de_ctx=0x86e36f8, s=0x9d0d718, depthstr=0x9d0b6f0 "0")
     at detect-depth.c:88
         depth = 3
         str = 0x9d0b6f0 "0"
         dubbed = 0 '\0'
         pm = <value optimized out>
         __FUNCTION__ = "DetectDepthSetup"
#1  0x0807b4d8 in SigParseOptions (de_ctx=0x86e36f8, s=0x9d0d718,
     optstr=0x9d0ea08 " depth:0; offset:14; uricontent:!\"\\:/\"; depth:14; offset:0; pcre:\"/^[^\\/\\:]{14,}?\\:\\//U\"; 
pcre:\"/^(?:GET|POST|HEAD)\\s+(?!(?:\\/|\\:|\\%2F|\\%3A){14})/smi\"; 
reference:bugtraq,9581; reference:cve,2004-0039;"...) at detect-parse.c:427
         _sc_log_err_msg = 
"\003\000\000\000\003\000\000\000˿\000\004\000\000\000\004.˿\000\000\000\000\000\000\000\0004)˿(\t\023\b)\t\000\000\000^8\t\000\000\000\000t\030\t\030\t\030%˿Ca\b\030\tt", 
'\0' <repeats 20 times>, "P\205\000\000\000\000\000P\201\000", '' <repeats 16 times>, "\004\000\000\000xٵ\000 
i\000\000\000\000\000\227!˿P\201\000(\000\000\000(\000\000\000x%˿\000\000\000\000\004.˿t\005023\bt 
iM\000 \201\000\001\000\000\000\230!˿\000\000\000\000"...
         _sc_log_err_temp = <value optimized out>
         ov = {0, 268, 1, 6, 7, 8, 9, 268, 135523032, 164686048, 164686334,
   164686048, 12087284, 12087284, 12091680, 164682744, -1077205752, 12087284,
   12091680, 164673152, -1077205736, 11150384, 12091680, 164673152, 164673264,
...

Regards
Rmkml



On Tue, 25 May 2010, Victor Julien wrote:

> Hi Rmkml, thanks for pointing out the issue. I ended up fixing it
> slightly differently:
>
>
>
> diff --git a/src/detect-depth.c b/src/detect-depth.c
> index 31a8d16..954fcec 100644
> --- a/src/detect-depth.c
> +++ b/src/detect-depth.c
> @@ -72,6 +72,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx,
> Signature *s, char *depths
>
>     DetectUricontentData *ud = NULL;
>     DetectContentData *cd = NULL;
> +
>     switch (pm->type) {
>         case DETECT_URICONTENT:
>             ud = (DetectUricontentData *)pm->ctx;
> @@ -82,9 +83,12 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx,
> Signature *s, char *depths
>             }
>             ud->depth = (uint32_t)atoi(str);
>             if (ud->uricontent_len + ud->offset > ud->depth) {
> +                uint32_t depth = (ud->depth > ud->uricontent_len) ?
> +                    ud->depth : ud->uricontent_len;
> +                cd->depth = cd->offset + depth;
> +
>                 SCLogDebug("depth increased to %"PRIu32" to match
> pattern len "
> -                        "and offset", ud->uricontent_len + ud->offset);
> -                ud->depth = ud->uricontent_len + ud->offset;
> +                        "and offset", ud->depth);
>             }
>         break;
>
> @@ -97,9 +101,12 @@ static int DetectDepthSetup (DetectEngineCtx
> *de_ctx, Signature *s, char *depths
>             }
>             cd->depth = (uint32_t)atoi(str);
>             if (cd->content_len + cd->offset > cd->depth) {
> +                uint32_t depth = (cd->depth > cd->content_len) ?
> +                    cd->depth : cd->content_len;
> +                cd->depth = cd->offset + depth;
> +
>                 SCLogDebug("depth increased to %"PRIu32" to match
> pattern len "
> -                        "and offset", cd->content_len + cd->offset);
> -                cd->depth = cd->content_len + cd->offset;
> +                        "and offset", cd->depth);
>             }
>         break;
>
>
> Current master should work!
>
> Cheers,
> Victor
>
> rmkml wrote:
>> Hi,
>> I have created a small patch for src/detect-depth.c:
>>
>> @@ -98,8 +98,8 @@
>>       cd->depth = (uint32_t)atoi(str);
>>       if (cd->content_len + cd->offset > cd->depth) {
>>           SCLogDebug("depth increased to %"PRIu32" to match pattern len "
>> -                 "and offset", cd->content_len + cd->offset);
>> -         cd->depth = cd->content_len + cd->offset;
>> +                 "and offset", cd->content_len + cd->offset +
>> (cd->depth - cd->content_len));
>> +         cd->depth = cd->content_len + cd->offset + (cd->depth -
>> cd->content_len);
>>       }
>>   break;
>>
>> Apply on suricata git 20 May 2010
>> (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502)
>> Not tested(/modified) with uricontent and depth/offset...
>> Regards
>> Rmkml
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>

More information about the Oisf-devel mailing list