[Oisf-devel] New crash in htp stream code

Chris Wakelin c.d.wakelin at reading.ac.uk
Sun May 1 17:58:55 UTC 2011 

Suricata has been pretty stable for a couple of weeks or so, but the 
latest git updates on 29th and 30th April are now crashing after a while:

> #0  0x00007f566636fa75 in raise () from /lib/libc.so.6
> #1  0x00007f56663735c0 in abort () from /lib/libc.so.6
> #2  0x00007f56663a94fb in ?? () from /lib/libc.so.6
> #3  0x00007f56663b35b6 in ?? () from /lib/libc.so.6
> #4  0x00007f56663b76d8 in ?? () from /lib/libc.so.6
> #5  0x00007f56663b858e in malloc () from /lib/libc.so.6
> #6  0x00007f56675930fd in bstr_alloc (len=5) at bstr.c:25
> #7  0x00007f5667593149 in bstr_strdup_ex (b=0x7f562b7d3de0, offset=19600, len=6) at bstr.c:218
> #8  0x00007f5667598078 in htp_normalize_parsed_uri (connp=0x7f5601183db0, incomplete=0x7f562b7d3c90, normalized=0x7f562b7d3c40)
>     at htp_util.c:1259
> #9  0x00007f56675997fd in htp_connp_REQ_LINE (connp=0x7f5601183db0) at htp_request.c:605
> #10 0x00007f5667599189 in htp_connp_req_data (connp=0x7f5601183db0, timestamp=19600, data=0x6 <Address 0x6 out of bounds>,
>     len=18446744073709551615) at htp_request.c:831
> #11 0x00000000004ee2f1 in HTPHandleRequestData (f=0x1a440370, htp_state=0x7f564ade9640, pstate=0x7f564ade9698,
>     input=0x7f56641f0c60 "GET /%C4%C7%CA%C7%D2%BB%B6%CE%C9%EE%C7%E9/pic/item/1629f015b2cbaa07f3de32d9.jpg?v=tbs HTTP/1.1\r\nAccept:
>     output=0x7f56663ca880) at app-layer-htp.c:406
> #12 0x00000000004ea4bf in AppLayerDoParse (f=0x4c8b, app_layer_state=0x4c90, parser_state=0x6,
>     input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=0, parser_idx=<value optimised out>, proto=1)
>     at app-layer-parser.c:676
> #13 0x00000000004ea863 in AppLayerParse (f=0x1a440370, proto=<value optimised out>, flags=<value optimised out>,
>     input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=0) at app-layer-parser.c:885
> #14 0x00000000004da664 in StreamTcpReassembleAppLayer (ra_ctx=<value optimised out>, ssn=<value optimised out>,
>     stream=<value optimised out>, p=<value optimised out>) at stream-tcp-reassemble.c:3008
> #15 0x00000000004da8cf in StreamTcpReassembleHandleSegmentUpdateACK (ra_ctx=<value optimised out>, ssn=<value optimised out>,
>     stream=0x7f5654bb8038, p=<value optimised out>) at stream-tcp-reassemble.c:3393
> #16 0x00000000004dbebe in StreamTcpReassembleHandleSegment (tv=0x67f3840, ra_ctx=0x6aa4740, ssn=0x7f5654bb7fe0,
>     stream=0x7f5654bb7fe8, p=0x0, pq=0x7f56663ca880) at stream-tcp-reassemble.c:3467
> #17 0x00000000004d5f5a in HandleEstablishedPacketToClient (tv=0x67f3840, p=0x37ce790, stt=0x6b14130, ssn=0x7f5654bb7fe0,
>     pq=0x6b14138) at stream-tcp.c:1832
> #18 StreamTcpPacketStateEstablished (tv=0x67f3840, p=0x37ce790, stt=0x6b14130, ssn=0x7f5654bb7fe0, pq=0x6b14138)
>     at stream-tcp.c:1961
> #19 0x00000000004d762d in StreamTcpPacket (tv=0x67f3840, p=0x37ce790, data=0x6b14130, pq=<value optimised out>,
>     postpq=<value optimised out>) at stream-tcp.c:3304
> #20 StreamTcp (tv=0x67f3840, p=0x37ce790, data=0x6b14130, pq=<value optimised out>, postpq=<value optimised out>)
>     at stream-tcp.c:3501
> #21 0x00000000004c0f8e in TmThreadsSlot1 (td=0x67f3840) at tm-threads.c:356
> #22 0x00007f5666b139ca in start_thread () from /lib/libpthread.so.0
> #23 0x00007f566642270d in clone () from /lib/libc.so.6
> #24 0x0000000000000000 in ?? ()

I've another almost identical crash, and also:

> #0  0x00007f0a44172a75 in raise () from /lib/libc.so.6
> #1  0x00007f0a441765c0 in abort () from /lib/libc.so.6
> #2  0x00007f0a441ba214 in ?? () from /lib/libc.so.6
> #3  0x00007f0a441bb58e in malloc () from /lib/libc.so.6
> #4  0x00007f0a4539ea9e in htp_gzip_decompressor_create (connp=0x7f0a3e750ac0) at htp_decompressors.c:191
> #5  0x00007f0a4539e06f in htp_connp_RES_BODY_DETERMINE (connp=0x7f0a3e750ac0) at htp_response.c:296
> #6  0x00007f0a4539d2f9 in htp_connp_res_data (connp=0x7f0a3e750ac0, timestamp=19891, data=0x6 <Address 0x6 out of bounds>,
>     len=18446744073709551615) at htp_response.c:776
> #7  0x00000000004edde0 in HTPHandleResponseData (f=<value optimised out>, htp_state=0x7f0a3e750aa0, pstate=0x7f0a3e751910,
>     input=0x6 <Address 0x6 out of bounds>, input_len=4294967295, output=0x7f0a44288ec6) at app-layer-htp.c:495
> #8  0x00000000004ea4bf in AppLayerDoParse (f=0x4dae, app_layer_state=0x4db3, parser_state=0x6,
>     input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=1107252992, parser_idx=<value optimised out>,
>     proto=1) at app-layer-parser.c:676
> #9  0x00000000004ea863 in AppLayerParse (f=0x7f0a3f640e40, proto=<value optimised out>, flags=<value optimised out>,
>     input=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, input_len=1107252992) at app-layer-parser.c:885
> #10 0x00000000004da6ee in StreamTcpReassembleAppLayer (ra_ctx=<value optimised out>, ssn=<value optimised out>,
>     stream=<value optimised out>, p=<value optimised out>) at stream-tcp-reassemble.c:3015
> #11 0x00000000004da8cf in StreamTcpReassembleHandleSegmentUpdateACK (ra_ctx=<value optimised out>, ssn=<value optimised out>,
>     stream=0x7f0a0e030958, p=<value optimised out>) at stream-tcp-reassemble.c:3393
> #12 0x00000000004dbebe in StreamTcpReassembleHandleSegment (tv=0x60ad840, ra_ctx=0x7f0a3c002230, ssn=0x7f0a0e030950,
>     stream=0x7f0a0e0309a8, p=0x7f0a41ff5700, pq=0x7f0a44288ec6) at stream-tcp-reassemble.c:3467
> #13 0x00000000004d5f5a in HandleEstablishedPacketToClient (tv=0x60ad840, p=0x3091710, stt=0x63ce130, ssn=0x7f0a0e030950,
>     pq=0x63ce138) at stream-tcp.c:1832
> #14 StreamTcpPacketStateEstablished (tv=0x60ad840, p=0x3091710, stt=0x63ce130, ssn=0x7f0a0e030950, pq=0x63ce138)
>     at stream-tcp.c:1961
> #15 0x00000000004d762d in StreamTcpPacket (tv=0x60ad840, p=0x3091710, data=0x63ce130, pq=<value optimised out>,
>     postpq=<value optimised out>) at stream-tcp.c:3304
> #16 StreamTcp (tv=0x60ad840, p=0x3091710, data=0x63ce130, pq=<value optimised out>, postpq=<value optimised out>)
>     at stream-tcp.c:3501
> #17 0x00000000004c0f8e in TmThreadsSlot1 (td=0x60ad840) at tm-threads.c:356
> #18 0x00007f0a449169ca in start_thread () from /lib/libpthread.so.0
> #19 0x00007f0a4422570d in clone () from /lib/libc.so.6
> #20 0x0000000000000000 in ?? ()

I've kept the core files, but have gone back to the pre-29th April 
version for now.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list