[Oisf-devel] patch for (my) ticket #164 content+offset+depth
Victor Julien
victor at inliniac.net
Tue May 25 20:41:03 UTC 2010
Ah yeah, dumb typo on my side. Please try current master.
Cheers,
Victor
rmkml wrote:
> Hi Victor,
> thx again for your great work+support on (open source) suricata project!
> Yes it's work with my example/simple pcap, but I have my first seg fault
> with git today (dab679889cf3a915edc382e97f0a6c13fa277eca)
> ok start gdb:
> export
> LD_LIBRARY_PATH=/home/oisf_suricata_ids/yaml-0.1.3/src/.libs:/home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/libhtp/htp/.libs:$LD_LIBRARY_PATH
>
> gdb
> /home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/src/.libs/suricata
> (gdb) r -c /home/suricata_ids_oisf/etc/suricata.yaml -r /mnt/testany2.pcap
> Starting program:
> /home/oisf_suricata_ids/suricata-0.9.1pregit25may2010/src/.libs/suricata
> -c /home/suricata_ids_oisf/etc/suricata.yaml -r /mnt/testany2.pcap
> [Thread debugging using libthread_db enabled]
> ...
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1216702784 (LWP 19696)]
> DetectDepthSetup (de_ctx=0x86e36f8, s=0x9d0d718, depthstr=0x9d0b6f0 "0")
> at detect-depth.c:88
> 88 cd->depth = cd->offset + depth;
> (gdb) bt full
> #0 DetectDepthSetup (de_ctx=0x86e36f8, s=0x9d0d718, depthstr=0x9d0b6f0
> "0")
> at detect-depth.c:88
> depth = 3
> str = 0x9d0b6f0 "0"
> dubbed = 0 '\0'
> pm = <value optimized out>
> __FUNCTION__ = "DetectDepthSetup"
> #1 0x0807b4d8 in SigParseOptions (de_ctx=0x86e36f8, s=0x9d0d718,
> optstr=0x9d0ea08 " depth:0; offset:14; uricontent:!\"\\:/\";
> depth:14; offset:0; pcre:\"/^[^\\/\\:]{14,}?\\:\\//U\";
> pcre:\"/^(?:GET|POST|HEAD)\\s+(?!(?:\\/|\\:|\\%2F|\\%3A){14})/smi\";
> reference:bugtraq,9581; reference:cve,2004-0039;"...) at detect-parse.c:427
> _sc_log_err_msg =
> "\003\000\000\000\003\000\000\000˿\000\004\000\000\000\004.˿\000\000\000\000\000\000\000\0004)˿(\t\023\b)\t\000\000\000^8\t\000\000\000\000t\030\t\030\t\030%˿Ca\b\030\tt",
> '\0' <repeats 20 times>, "P\205\000\000\000\000\000P\201\000", ''
> <repeats 16 times>, "\004\000\000\000xٵ\000
> i\000\000\000\000\000\227!˿P\201\000(\000\000\000(\000\000\000x%˿\000\000\000\000\004.˿t\005023\bt
> iM\000 \201\000\001\000\000\000\230!˿\000\000\000\000"...
> _sc_log_err_temp = <value optimized out>
> ov = {0, 268, 1, 6, 7, 8, 9, 268, 135523032, 164686048, 164686334,
> 164686048, 12087284, 12087284, 12091680, 164682744, -1077205752,
> 12087284,
> 12091680, 164673152, -1077205736, 11150384, 12091680, 164673152,
> 164673264,
> ...
>
> Regards
> Rmkml
>
>
>
> On Tue, 25 May 2010, Victor Julien wrote:
>
>> Hi Rmkml, thanks for pointing out the issue. I ended up fixing it
>> slightly differently:
>>
>>
>>
>> diff --git a/src/detect-depth.c b/src/detect-depth.c
>> index 31a8d16..954fcec 100644
>> --- a/src/detect-depth.c
>> +++ b/src/detect-depth.c
>> @@ -72,6 +72,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx,
>> Signature *s, char *depths
>>
>> DetectUricontentData *ud = NULL;
>> DetectContentData *cd = NULL;
>> +
>> switch (pm->type) {
>> case DETECT_URICONTENT:
>> ud = (DetectUricontentData *)pm->ctx;
>> @@ -82,9 +83,12 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx,
>> Signature *s, char *depths
>> }
>> ud->depth = (uint32_t)atoi(str);
>> if (ud->uricontent_len + ud->offset > ud->depth) {
>> + uint32_t depth = (ud->depth > ud->uricontent_len) ?
>> + ud->depth : ud->uricontent_len;
>> + cd->depth = cd->offset + depth;
>> +
>> SCLogDebug("depth increased to %"PRIu32" to match
>> pattern len "
>> - "and offset", ud->uricontent_len + ud->offset);
>> - ud->depth = ud->uricontent_len + ud->offset;
>> + "and offset", ud->depth);
>> }
>> break;
>>
>> @@ -97,9 +101,12 @@ static int DetectDepthSetup (DetectEngineCtx
>> *de_ctx, Signature *s, char *depths
>> }
>> cd->depth = (uint32_t)atoi(str);
>> if (cd->content_len + cd->offset > cd->depth) {
>> + uint32_t depth = (cd->depth > cd->content_len) ?
>> + cd->depth : cd->content_len;
>> + cd->depth = cd->offset + depth;
>> +
>> SCLogDebug("depth increased to %"PRIu32" to match
>> pattern len "
>> - "and offset", cd->content_len + cd->offset);
>> - cd->depth = cd->content_len + cd->offset;
>> + "and offset", cd->depth);
>> }
>> break;
>>
>>
>> Current master should work!
>>
>> Cheers,
>> Victor
>>
>> rmkml wrote:
>>> Hi,
>>> I have created a small patch for src/detect-depth.c:
>>>
>>> @@ -98,8 +98,8 @@
>>> cd->depth = (uint32_t)atoi(str);
>>> if (cd->content_len + cd->offset > cd->depth) {
>>> SCLogDebug("depth increased to %"PRIu32" to match pattern
>>> len "
>>> - "and offset", cd->content_len + cd->offset);
>>> - cd->depth = cd->content_len + cd->offset;
>>> + "and offset", cd->content_len + cd->offset +
>>> (cd->depth - cd->content_len));
>>> + cd->depth = cd->content_len + cd->offset + (cd->depth -
>>> cd->content_len);
>>> }
>>> break;
>>>
>>> Apply on suricata git 20 May 2010
>>> (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502)
>>> Not tested(/modified) with uricontent and depth/offset...
>>> Regards
>>> Rmkml
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list