[Oisf-devel] Segmentation fault on the latest Suricata beta

Duarte Silva duarte.silva at serializing.me
Fri Dec 20 15:50:43 UTC 2013


On Friday 20 December 2013 16:30:33 Victor Julien wrote:
> On 12/20/2013 04:23 PM, Duarte Silva wrote:
> > On Thursday 19 December 2013 14:40:33 Duarte Silva wrote:
> >> On Thursday 19 December 2013 15:05:17 Victor Julien wrote:
> >>> On 12/19/2013 02:42 PM, Duarte Silva wrote:
> >>>> Hi guys,
> >>>> 
> >>>> just a heads up, there is a segmentation fault when using the HTTP
> >>>> custom
> >>>> log (while printing the host name) on the latest 2.0 beta.
> >>>> 
> >>>> I have looked at the code and will create a pull request on GitHub with
> >>>> a
> >>>> possible fix. More info can be found at [1].
> >>> 
> >>> Thanks Duarte, looking forward to the patch.
> >> 
> >> It seems to be a regression. I have created the pull request [1] (already
> >> tested it and no segmentation fault has occurred).
> >> 
> >> [2] https://github.com/inliniac/suricata/pull/734
> >> 
> >>>> Another thing, the issue [2] can be closed.
> > 
> > Just for the record, the issue reported on [2] happened again. I think the
> > reason is related with the fact that, while testing the patch for [1], I
> > was compiling Suricata with all stack protections enabled. After
> > disabling that, Suricata hasn't crashed when a signature matches (it has
> > been running for 22 hours and matched signatures 21 times) .
> > 
> > Follows the patch I used to enable stack protections:
> > 
> > diff --git a/configure.ac b/configure.ac
> > index 4b394c6..e0c9ec5 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -246,10 +246,10 @@
> > 
> >      AS_IF([test "x$enable_gccprotect" = "xyes"], [
> >      
> >          #buffer overflow protection
> > 
> > -        AC_MSG_CHECKING(for -fstack-protector)
> > +        AC_MSG_CHECKING(for -fstack-protector-all)
> > 
> >          TMPCFLAGS="${CFLAGS}"
> > 
> > -        CFLAGS="${CFLAGS} -fstack-protector"
> > -        AC_TRY_LINK(,,SECCFLAGS="${SECCFLAGS} -fstack-protector"
> > +        CFLAGS="${CFLAGS} -fstack-protector-all"
> > +        AC_TRY_LINK(,,SECCFLAGS="${SECCFLAGS} -fstack-protector-all"
> > 
> >          AC_MSG_RESULT(yes),
> >          AC_MSG_RESULT(no))
> >          CFLAGS="${TMPCFLAGS}"
> > 
> > Hope it helps in future problems, cheers,
> 
> Care to do a PR for this? Maybe it'd be best to check for both options
> separately, so that if the -all option isn't available, we can still use
> the regular option.

I'm not sure I get what we would achieve with changing the "-fstack-protector" 
to "-fstack-protector-all", because the patch above, is the one that was 
creating the crash.

At least is what it seems, I need to get some more traffic/running hours under 
the new build (the one without the "-fstack-protector-all" flag) to be 100% 
sure.

Cheers,
Duarte

> 
> Cheers,
> Victor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20131220/97f04419/attachment-0002.bin>


More information about the Oisf-devel mailing list