[Oisf-devel] Suricata 2.0dev + PF_RING 5.6.0 sporadic crashes in HTPCallbackRequest

Chris Wakelin c.d.wakelin at reading.ac.uk
Mon Jul 22 09:13:16 UTC 2013


On 19/07/13 13:58, Anoop Saldanha wrote:
> On Fri, Jul 19, 2013 at 6:07 PM, Chris Wakelin
> <c.d.wakelin at reading.ac.uk> wrote:
>> Hi,
>>
>> I recently upgraded our Suricata instances to Suricata 2.0dev (rev
>> 6229bfa - just a bit before the libhtp unbundling changes) and from
>> PF_RING 5.5.2 to 5.6.0.
>>
>> We're getting sporadic crashes in both sensors; they can go for a day
>> without crashing, then crash three times in half an hour, so it looks
>> like it's triggered by some very specific traffic.
>>
>> Looking in the backtrace, the ReceivePfringLoop frame suggests to me the
>> packet is corrupt (as far as I can tell - e.g. src and dst port are 0
>> and protocol 127, IPv4 addresses don't look like our local ones).
>>
>>> #17 0x0000000000592c0b in ReceivePfringLoop (tv=0xc971540, data=0x7fa92cd51f00, slot=0x86ca8c0) at source-pfring.c:311
>>>         r = 1
>>>         packet_q_len = 4989
>>>         ptv = 0x7fa92cd51f00
>>>         p = 0x420d400
>>>         hdr = {ts = {tv_sec = 1374235900, tv_usec = 231639}, caplen = 60, len = 60, extended_hdr = {timestamp_ns = 4314826383835889664, rx_direction = 1 '\001', if_index = 6, pkt_hash = 1191440499, tx = {bounce_interface = 764450176, reserved = 0x3be157bc34058000},
>>>             parsed_header_len = 0, parsed_pkt = {dmac = "\000\000\000\000\000", smac = "\000\000\000\000\000", eth_type = 38272, vlan_id = 11664, ip_version = 166 '�', l3_proto = 127 '\177', ip_tos = 0 '\000', ip_src = {v6 = {__in6_u = {
>>>                     __u6_addr8 = "�}F\000\000\000\000\000@\025\227\f\000\000\000", __u6_addr16 = {32243, 70, 0, 0, 5440, 3223, 0, 0}, __u6_addr32 = {4619763, 0, 211227968, 0}}}, v4 = 4619763}, ip_dst = {v6 = {__in6_u = {
>>>                     __u6_addr8 = "\000\200\005\064�W�;\000\000\000\000\000\000\000", __u6_addr16 = {32768, 13317, 22460, 15329, 0, 0, 0, 0}, __u6_addr32 = {872775680, 1004623804, 0, 0}}}, v4 = 872775680}, l4_src_port = 0, l4_dst_port = 0, tcp = {flags = 0 '\000',
>>>                 seq_num = 764450208, ack_num = 32678}, tunnel = {tunnel_id = 4626108, tunneled_proto = 0 '\000', tunneled_ip_src = {v6 = {__in6_u = {__u6_addr8 = "@\025\227\f\000\000\000\000Y()ު\177\000", __u6_addr16 = {5440, 3223, 0, 0, 10329, 56873, 32682, 0},
>>>                       __u6_addr32 = {211227968, 0, 3727239257, 32682}}}, v4 = 211227968}, tunneled_ip_dst = {v6 = {__in6_u = {__u6_addr8 = "\000\000\000\000\000\000\000\000\204\a,ު\177\000", __u6_addr16 = {0, 0, 0, 0, 1924, 56876, 32682, 0}, __u6_addr32 = {0, 0,
>>>                         3727427460, 32682}}}, v4 = 0}, tunneled_l4_src_port = 0, tunneled_l4_dst_port = 0}, last_matched_plugin_id = 4, last_matched_rule_id = 0, offset = {eth_offset = 5440, vlan_offset = 3223, l3_offset = 0, l4_offset = 0, payload_offset = -27168}}}}
>>>         s = 0x86ca8c0
>>>         last_dump = 1374235900
>>>         current_time = {tv_sec = 1374235900, tv_usec = 231263}
>>>         __FUNCTION__ = "ReceivePfringLoop"
>>
>> I've attached a backtrace from a core that was generated a few minutes
>> ago (Suricata was compiled with CFLAGS="-ggdb -O0").
>>
>> Any ideas what traffic caused this? (My feeling is the corrupt packets,
>> if that's what they are, are probably PF_RING's fault, but of course
>> Suricata shouldn't crash even then.)
>>
>> I can downgrade Suricata, but alas I'm not allowed to touch PF_RING
>> without going through a Change Control process (it upset the border
>> switch once).
>>
> 
> Can you run the lastest master(post 0.5.x changes).  There were some
> bugs in libhtp which were fixed explicitly for 1.4.x, and for the
> master we relied on the 0.5.x fixing it.
> 

Still crashing sporadically I'm afraid, but now it's mostly in
htp_validate_hostname. I've attached another backtrace - does the frame
in ReceivePfringLoop make any sense?

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
-------------- next part --------------
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /opt/RDGsuricata.pf560.190713/bin/suricata...done.
[New LWP 30544]
[New LWP 30550]
[New LWP 30541]
[New LWP 30547]
[New LWP 30553]
[New LWP 30559]
[New LWP 30556]
[New LWP 30562]
[New LWP 30565]
[New LWP 30535]
[New LWP 30538]
[New LWP 30532]
[New LWP 30570]
[New LWP 30569]
[New LWP 29894]
[New LWP 30568]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/opt/RDGsuricata/bin/suricata --pfring -c /etc/suricata/suricata-dnacluster.yam'.
Program terminated with signal 11, Segmentation fault.
#0  htp_validate_hostname (hostname=0x0) at htp_util.c:2468
#0  htp_validate_hostname (hostname=0x0) at htp_util.c:2468
        data = 0x7fcee6b13fb8 "Host"
        len = <optimised out>
        pos = <optimised out>
#1  0x00007fd4b3ed3a08 in htp_parse_header_hostport (
    hostport=<optimised out>, hostname=0x7fcfece2cec0, port=<optimised out>, 
    flags=0x7fcee6b96a70) at htp_util.c:597
        invalid = 1
        rc = 1
#2  0x00007fd4b3ecf665 in htp_tx_process_request_headers (tx=0x7fcee6b96900)
    at htp_transaction.c:478
        hostname = <optimised out>
        port = <optimised out>
        rc = 1
        cl = 0x7fcee6b13f20
        te = <optimised out>
        h = <optimised out>
        ct = <optimised out>
#3  htp_tx_state_request_headers (tx=0x7fcee6b96900) at htp_transaction.c:901
        rc = 1
#4  0x00007fd4b3ecb885 in htp_connp_REQ_HEADERS (connp=0x7fcee6c73c40)
    at htp_request.c:583
        data = 0x7fcfece2da97 "\r\nNGfZND00bDAHaTE3MZY1MGQ1bGM0zjJjMWJHbDrIYWU0aZc1aTBZbDQZYjAmJmzpOGVZNXplPTc1MZU1bDimdmVyPTEmzm4yOWf0PWpZO29mc243cmalPXHmzGxFcXVlcnkmzmlszW5HOWU4rfaDMDQxaDQlMkVKUEcmdWluPTkxMjk5aTc3MyzjdXa0O23pzD0xMj"...
        len = 2
#5  0x00007fd4b3ecbcda in htp_connp_req_data (connp=0x7fcee6c73c40, 
    timestamp=<optimised out>, data=<optimised out>, len=<optimised out>)
    at htp_request.c:851
        rc = <optimised out>
#6  0x0000000000429dc4 in HTPHandleRequestData (f=0x378ac60, 
    htp_state=0x6a83960, pstate=0x7fcee6a17138, 
    input=0x7fcfece2d9d0 "POST /qxf/check_download HTTP/1.1\r\nAccept: */*\r\nHost: \r\nContent-Type: applation/octet-stream;\r\nContent-Transfe-Encoding: BINARY\r\nContent-Length: 208\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r"..., input_len=409, local_data=0x0, output=0x7fcfece2d830)
    at app-layer-htp.c:642
        r = -1
        ret = 1
        hstate = 0x6a83960
        __FUNCTION__ = "HTPHandleRequestData"
        __PRETTY_FUNCTION__ = "HTPHandleRequestData"
        ts = {tv_sec = 1374478827, tv_usec = 0}
#7  0x000000000043b9c3 in AppLayerDoParse (local_data=0x0, f=0x378ac60, 
    app_layer_state=0x6a83960, parser_state=0x7fcee6a17138, 
    input=0x7fcfece2d9d0 "POST /qxf/check_download HTTP/1.1\r\nAccept: */*\r\nHost: \r\nContent-Type: applation/octet-stream;\r\nContent-Transfe-Encoding: BINARY\r\nContent-Length: 208\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r"..., input_len=409, parser_idx=1, proto=1) at app-layer-parser.c:887
        retval = 0
        result = {head = 0x0, tail = 0x0, cnt = 0}
        r = -1
        e = 0x501767d193889900
#8  0x000000000043be5e in AppLayerParse (local_data=0x0, f=0x378ac60, 
    proto=1 '\001', flags=5 '\005', 
    input=0x7fcfece2d9d0 "POST /qxf/check_download HTTP/1.1\r\nAccept: */*\r\nHost: \r\nContent-Type: applation/octet-stream;\r\nContent-Transfe-Encoding: BINARY\r\nContent-Length: 208\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r"..., input_len=409) at app-layer-parser.c:1093
        r = -1274108377
        parser_idx = 1
        p = 0x8f5840
        ssn = 0x7fcee77faf00
        parser_state_store = 0x7fcee6a17120
        parser_state = 0x7fcee6a17138
        app_layer_state = 0x6a83960
#9  0x0000000000413546 in AppLayerHandleTCPData (dp_ctx=0x86c4608, 
    f=0x378ac60, ssn=0x7fcee77faf00, 
    data=0x7fcfece2d9d0 "POST /qxf/check_download HTTP/1.1\r\nAccept: */*\r\nHost: \r\nContent-Type: applation/octet-stream;\r\nContent-Transfe-Encoding: BINARY\r\nContent-Length: 208\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r"..., data_len=409, flags=5 '\005') at app-layer.c:161
        r = 0
#10 0x00000000005ab301 in StreamTcpReassembleAppLayer (tv=0x1832f460, 
    ra_ctx=0x86c4600, ssn=0x7fcee77faf00, stream=0x7fcee77faf50, p=0x16a9400)
    at stream-tcp-reassemble.c:2933
        flags = 5 '\005'
        seg_tail = 0x62a6930
        ra_base_seq = 2828352677
        data = "POST /qxf/check_download HTTP/1.1\r\nAccept: */*\r\nHost: \r\nContent-Type: applation/octet-stream;\r\nContent-Transfe-Encoding: BINARY\r\nContent-Length: 208\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r"...
        data_len = 409
        payload_offset = 0
        payload_len = 409
        next_seq = 2828352678
        seg = 0x0
        __PRETTY_FUNCTION__ = "StreamTcpReassembleAppLayer"
#11 0x00000000005abbca in StreamTcpReassembleHandleSegmentUpdateACK (
    tv=0x1832f460, ra_ctx=0x86c4600, ssn=0x7fcee77faf00, 
    stream=0x7fcee77faf50, p=0x16a9400) at stream-tcp-reassemble.c:3295
        r = 0
#12 0x00000000005abd29 in StreamTcpReassembleHandleSegment (tv=0x1832f460, 
    ra_ctx=0x86c4600, ssn=0x7fcee77faf00, stream=0x7fcee77faf08, p=0x16a9400, 
    pq=0x6dcbab0) at stream-tcp-reassemble.c:3369
        opposing_stream = 0x7fcee77faf50
#13 0x000000000059bf10 in HandleEstablishedPacketToClient (tv=0x1832f460, 
    ssn=0x7fcee77faf00, p=0x16a9400, stt=0x6dcbaa0, pq=0x6dcbab0)
    at stream-tcp.c:2048
        zerowindowprobe = 0
#14 0x000000000059c8e7 in StreamTcpPacketStateEstablished (tv=0x1832f460, 
    p=0x16a9400, stt=0x6dcbaa0, ssn=0x7fcee77faf00, pq=0x6dcbab0)
    at stream-tcp.c:2294
No locals.
#15 0x00000000005a263b in StreamTcpPacket (tv=0x1832f460, p=0x16a9400, 
    stt=0x6dcbaa0, pq=0x7fd02dd73680) at stream-tcp.c:4200
        ssn = 0x7fcee77faf00
#16 0x00000000005a2e52 in StreamTcp (tv=0x1832f460, p=0x16a9400, 
    data=0x6dcbaa0, pq=0x7fd02dd73680, postpq=0x0) at stream-tcp.c:4441
        stt = 0x6dcbaa0
        ret = TM_ECODE_OK
#17 0x00000000005bbfe5 in TmThreadsSlotVarRun (tv=0x1832f460, p=0x16a9400, 
    slot=0x7fd02dd73780) at tm-threads.c:542
        SlotFunc = 0x5a2d49 <StreamTcp>
        r = TM_ECODE_OK
        s = 0x7fd02dd73640
        extra_p = 0x7fcfece2f500
#18 0x0000000000592e4d in TmThreadsSlotProcessPkt (tv=0x1832f460, 
    s=0x7fd02dd73780, p=0x16a9400) at tm-threads.h:139
        r = TM_ECODE_OK
#19 0x00000000005934bb in ReceivePfringLoop (tv=0x1832f460, 
    data=0x7fd08493c1e0, slot=0x7fd02dd738c0) at source-pfring.c:323
        r = 1
        packet_q_len = 4989
        ptv = 0x7fd08493c1e0
        p = 0x16a9400
        hdr = {ts = {tv_sec = 1374478827, tv_usec = 390403}, caplen = 60, 
          len = 60, extended_hdr = {timestamp_ns = 5771195597319608576, 
            rx_direction = 1 '\001', if_index = 6, pkt_hash = 3252505864, 
            tx = {bounce_interface = -320670336, 
              reserved = 0x501767d193889900}, parsed_header_len = 0, 
            parsed_pkt = {dmac = "\000\000\000\000\000", 
              smac = "\000\000\000\000\000", eth_type = 62848, 
              vlan_id = 60642, ip_version = 207 'Ï', l3_proto = 127 '\177', 
              ip_tos = 0 '\000', ip_src = {v6 = {__in6_u = {
                    __u6_addr8 = "³\206F\000\000\000\000\000`ô2\030\000\000\000", __u6_addr16 = {34483, 70, 0, 0, 62560, 6194, 0, 0}, __u6_addr32 = {
                      4622003, 0, 405992544, 0}}}, v4 = 4622003}, ip_dst = {
                v6 = {__in6_u = {
                    __u6_addr8 = "\000\231\210\223Ñg\027P\000\000\000\000\000\000\000", __u6_addr16 = {39168, 37768, 26577, 20503, 0, 0, 0, 0}, 
                    __u6_addr32 = {2475202816, 1343711185, 0, 0}}}, 
                v4 = 2475202816}, l4_src_port = 0, l4_dst_port = 0, tcp = {
                flags = 0 '\000', seq_num = 3974296992, ack_num = 32719}, 
              tunnel = {tunnel_id = 4628499, tunneled_proto = 0 '\000', 
                tunneled_ip_src = {v6 = {__in6_u = {
                      __u6_addr8 = "`ô2\030\000\000\000\000Y\b£²Ô\177\000", 
                      __u6_addr16 = {62560, 6194, 0, 0, 2137, 45731, 32724, 
                        0}, __u6_addr32 = {405992544, 0, 2997028953, 
                        32724}}}, v4 = 405992544}, tunneled_ip_dst = {v6 = {
                    __in6_u = {
                      __u6_addr8 = "\000\000\000\000\000\000\000\000\204祲Ô\177\000", __u6_addr16 = {0, 0, 0, 0, 59268, 45733, 32724, 0}, __u6_addr32 = {0, 
                        0, 2997217156, 32724}}}, v4 = 0}, 
                tunneled_l4_src_port = 0, tunneled_l4_dst_port = 0}, 
              last_matched_plugin_id = 4, last_matched_rule_id = 0, offset = {
                eth_offset = -2976, vlan_offset = 6194, l3_offset = 0, 
                l4_offset = 0, payload_offset = -2592}}}}
        s = 0x7fd02dd738c0
        last_dump = 1374478827
        current_time = {tv_sec = 1374478827, tv_usec = 390402}
        __FUNCTION__ = "ReceivePfringLoop"
#20 0x00000000005bc91c in TmThreadsSlotPktAcqLoop (td=0x1832f460)
    at tm-threads.c:682
        tv = 0x1832f460
        s = 0x7fd02dd738c0
        run = 1 '\001'
        r = TM_ECODE_OK
        slot = 0x0
        __FUNCTION__ = "TmThreadsSlotPktAcqLoop"
#21 0x00007fd4b31b2e9a in start_thread ()
   from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#22 0x00007fd4b2a64ccd in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#23 0x0000000000000000 in ?? ()
No symbol table info available.


More information about the Oisf-devel mailing list