[Oisf-devel] patch for (my) ticket #164 content+offset+depth
rmkml
rmkml at free.fr
Tue May 25 17:53:38 UTC 2010
Hi Victor,
thx again for your great work+support on (open source) suricata project!
Yes it's work with my example/simple pcap, but I have my first seg fault with git today (dab679889cf3a915edc382e97f0a6c13fa277eca)
ok start gdb:
export LD_LIBRARY_PATH=/home/oisf_suricata_ids/yaml-0.1.3/src/.libs:/home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/libhtp/htp/.libs:$LD_LIBRARY_PATH
gdb /home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/src/.libs/suricata
(gdb) r -c /home/suricata_ids_oisf/etc/suricata.yaml -r /mnt/testany2.pcap
Starting program: /home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/src/.libs/suricata -c /home/suricata_ids_oisf/etc/suricata.yaml -r /mnt/testany2.pcap
[Thread debugging using libthread_db enabled]
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216702784 (LWP 19696)]
DetectDepthSetup (de_ctx=0x86e36f8, s=0x9d0d718, depthstr=0x9d0b6f0 "0")
at detect-depth.c:88
88 cd->depth = cd->offset + depth;
(gdb) bt full
#0 DetectDepthSetup (de_ctx=0x86e36f8, s=0x9d0d718, depthstr=0x9d0b6f0 "0")
at detect-depth.c:88
depth = 3
str = 0x9d0b6f0 "0"
dubbed = 0 '\0'
pm = <value optimized out>
__FUNCTION__ = "DetectDepthSetup"
#1 0x0807b4d8 in SigParseOptions (de_ctx=0x86e36f8, s=0x9d0d718,
optstr=0x9d0ea08 " depth:0; offset:14; uricontent:!\"\\:/\"; depth:14; offset:0; pcre:\"/^[^\\/\\:]{14,}?\\:\\//U\";
pcre:\"/^(?:GET|POST|HEAD)\\s+(?!(?:\\/|\\:|\\%2F|\\%3A){14})/smi\";
reference:bugtraq,9581; reference:cve,2004-0039;"...) at detect-parse.c:427
_sc_log_err_msg =
"\003\000\000\000\003\000\000\000˿\000\004\000\000\000\004.˿\000\000\000\000\000\000\000\0004)˿(\t\023\b)\t\000\000\000^8\t\000\000\000\000t\030\t\030\t\030%˿Ca\b\030\tt",
'\0' <repeats 20 times>, "P\205\000\000\000\000\000P\201\000", '' <repeats 16 times>, "\004\000\000\000xٵ\000
i\000\000\000\000\000\227!˿P\201\000(\000\000\000(\000\000\000x%˿\000\000\000\000\004.˿t\005023\bt
iM\000 \201\000\001\000\000\000\230!˿\000\000\000\000"...
_sc_log_err_temp = <value optimized out>
ov = {0, 268, 1, 6, 7, 8, 9, 268, 135523032, 164686048, 164686334,
164686048, 12087284, 12087284, 12091680, 164682744, -1077205752, 12087284,
12091680, 164673152, -1077205736, 11150384, 12091680, 164673152, 164673264,
...
Regards
Rmkml
On Tue, 25 May 2010, Victor Julien wrote:
> Hi Rmkml, thanks for pointing out the issue. I ended up fixing it
> slightly differently:
>
>
>
> diff --git a/src/detect-depth.c b/src/detect-depth.c
> index 31a8d16..954fcec 100644
> --- a/src/detect-depth.c
> +++ b/src/detect-depth.c
> @@ -72,6 +72,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx,
> Signature *s, char *depths
>
> DetectUricontentData *ud = NULL;
> DetectContentData *cd = NULL;
> +
> switch (pm->type) {
> case DETECT_URICONTENT:
> ud = (DetectUricontentData *)pm->ctx;
> @@ -82,9 +83,12 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx,
> Signature *s, char *depths
> }
> ud->depth = (uint32_t)atoi(str);
> if (ud->uricontent_len + ud->offset > ud->depth) {
> + uint32_t depth = (ud->depth > ud->uricontent_len) ?
> + ud->depth : ud->uricontent_len;
> + cd->depth = cd->offset + depth;
> +
> SCLogDebug("depth increased to %"PRIu32" to match
> pattern len "
> - "and offset", ud->uricontent_len + ud->offset);
> - ud->depth = ud->uricontent_len + ud->offset;
> + "and offset", ud->depth);
> }
> break;
>
> @@ -97,9 +101,12 @@ static int DetectDepthSetup (DetectEngineCtx
> *de_ctx, Signature *s, char *depths
> }
> cd->depth = (uint32_t)atoi(str);
> if (cd->content_len + cd->offset > cd->depth) {
> + uint32_t depth = (cd->depth > cd->content_len) ?
> + cd->depth : cd->content_len;
> + cd->depth = cd->offset + depth;
> +
> SCLogDebug("depth increased to %"PRIu32" to match
> pattern len "
> - "and offset", cd->content_len + cd->offset);
> - cd->depth = cd->content_len + cd->offset;
> + "and offset", cd->depth);
> }
> break;
>
>
> Current master should work!
>
> Cheers,
> Victor
>
> rmkml wrote:
>> Hi,
>> I have created a small patch for src/detect-depth.c:
>>
>> @@ -98,8 +98,8 @@
>> cd->depth = (uint32_t)atoi(str);
>> if (cd->content_len + cd->offset > cd->depth) {
>> SCLogDebug("depth increased to %"PRIu32" to match pattern len "
>> - "and offset", cd->content_len + cd->offset);
>> - cd->depth = cd->content_len + cd->offset;
>> + "and offset", cd->content_len + cd->offset +
>> (cd->depth - cd->content_len));
>> + cd->depth = cd->content_len + cd->offset + (cd->depth -
>> cd->content_len);
>> }
>> break;
>>
>> Apply on suricata git 20 May 2010
>> (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502)
>> Not tested(/modified) with uricontent and depth/offset...
>> Regards
>> Rmkml
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
More information about the Oisf-devel
mailing list