[Oisf-devel] Frequent Segfaults in AppLayerProtoDetectPMGetProto with new AppLayer changes
Chris Wakelin
c.d.wakelin at reading.ac.uk
Thu Jan 16 12:35:05 UTC 2014
I tried yesterday's git master - 2.0dev (rev 06f9b0a) - on the student
network yesterday. It crashed four times in two hours with:
Program terminated with signal 11, Segmentation fault.
#0 AppLayerProtoDetectPMGetProto (pm_results=0x7f339e67cf20,
ipproto=6 '\006', direction=<optimised out>, buflen=972,
buf=0x7f339e67d8d0 "\005\002\005", tctx=0x7f341466cdc0, f=<optimised
out>)
at app-layer-detect-proto.c:1660
(full backtrace attached - I've got three other very similar ones).
I kept the same suricata.yaml as I was using for 2.0beta2. I've switched
back to 2.0beta2 for now.
Let me know if you need any more details. I still have the core files,
but they're huge :-)
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
-------------- next part --------------
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /opt/RDGsuricata.pf561.240913/bin/suricata...done.
[New LWP 19687]
[New LWP 19693]
[New LWP 19690]
[New LWP 19708]
[New LWP 19702]
[New LWP 19696]
[New LWP 19669]
[New LWP 19711]
[New LWP 19675]
[New LWP 19672]
[New LWP 19678]
[New LWP 19684]
[New LWP 19665]
[New LWP 19713]
[New LWP 19712]
[New LWP 19666]
[New LWP 19705]
[New LWP 19699]
[New LWP 19681]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/opt/RDGsuricata/bin/suricata --pfring -c /etc/suricata/suricata-dnacluster.yam'.
Program terminated with signal 11, Segmentation fault.
#0 AppLayerProtoDetectPMGetProto (pm_results=0x7f339e67cf20,
ipproto=6 '\006', direction=<optimised out>, buflen=972,
buf=0x7f339e67d8d0 "\005\002\005", tctx=0x7f341466cdc0, f=<optimised out>)
at app-layer-detect-proto.c:1660
#0 AppLayerProtoDetectPMGetProto (pm_results=0x7f339e67cf20,
ipproto=6 '\006', direction=<optimised out>, buflen=972,
buf=0x7f339e67d8d0 "\005\002\005", tctx=0x7f341466cdc0, f=<optimised out>)
at app-layer-detect-proto.c:1660
No locals.
#1 AppLayerProtoDetectGetProto (tctx=0x7f341466cdc0, f=0x7f323979fb40,
buf=0x7f339e67d8d0 "\005\002\005", buflen=972, ipproto=6 '\006',
direction=<optimised out>) at app-layer-detect-proto.c:1213
alproto = 0
pm_results = {0, 422, 0, 0, 30112, 21185, 32562, 0, 2, 0, 153, 0,
60544, 50643, 32563}
pm_matches = 0
#2 0x00000000004188e6 in AppLayerHandleTCPData (tv=0x884c4b0,
ra_ctx=0x7f34c65ce900, p=0x28ea400, f=0x7f323979fb40, ssn=0x7f31a4d070c0,
stream=<optimised out>, data=0x7f339e67d8d0 "\005\002\005", data_len=972,
flags=9 '\t') at app-layer.c:129
app_tctx = 0x7f34bf6a3820
alproto = 0x7f323979fbb6
alproto_otherdir = 0x7f323979fbb4
dir = 1 '\001'
data_al_so_far = 0
r = 0
first_data_dir = <optimised out>
__FUNCTION__ = "AppLayerHandleTCPData"
__PRETTY_FUNCTION__ = "AppLayerHandleTCPData"
#3 0x00000000005139f3 in StreamTcpReassembleAppLayer (tv=0x884c4b0,
ra_ctx=0x7f34c65ce900, ssn=0x7f31a4d070c0, stream=0x7f31a4d070c8,
p=0x28ea400) at stream-tcp-reassemble.c:3027
flags = <optimised out>
seg_tail = <optimised out>
ra_base_seq = 3672367106
data = "\005\002\005\000\005\000\020??~??Z.7\226??\022p$xy?\235??~??4?`?m.?\b??\037?v??P??jXM\033?\n\034u\036??TTYv?\237?\tn\n\030&\230h\232|]?@???j\205\217?\222?\017HF\226\021,?q\031???\000??]sa?\207\225\b??~?q?hK[&??2???\b?}?\022??\232???\020T\224\220Mx?*p??v?A\032?u\202?\206H?p,?K0\236Mk\016MM?\032T\002h??UL???I?\v@?\017??v???"...
data_len = <optimised out>
payload_offset = <optimised out>
payload_len = <optimised out>
next_seq = <optimised out>
seg = 0x0
__PRETTY_FUNCTION__ = "StreamTcpReassembleAppLayer"
#4 0x0000000000514230 in StreamTcpReassembleHandleSegmentUpdateACK (
tv=0x884c4b0, ra_ctx=0x7f34c65ce900, ssn=0x7f31a4d070c0,
stream=0x7f31a4d070c8, p=0x28ea400) at stream-tcp-reassemble.c:3373
r = 0
#5 0x0000000000515f53 in StreamTcpReassembleHandleSegment (tv=0x884c4b0,
ra_ctx=0x7f34c65ce900, ssn=0x7f31a4d070c0, stream=0x7f31a4d07110,
p=0x28ea400, pq=<optimised out>) at stream-tcp-reassemble.c:3401
opposing_stream = <optimised out>
#6 0x000000000050ceb2 in HandleEstablishedPacketToClient (
pq=<optimised out>, p=<optimised out>, ssn=<optimised out>,
tv=<optimised out>, stt=<optimised out>) at stream-tcp.c:2090
zerowindowprobe = <optimised out>
#7 StreamTcpPacketStateEstablished (tv=0x884c4b0, p=0x28ea400,
stt=0x7f341466cb40, ssn=0x7f31a4d070c0, pq=0x7f341466cb50)
at stream-tcp.c:2336
No locals.
#8 0x0000000000510a7e in StreamTcpPacket (tv=0x884c4b0, p=0x28ea400,
stt=0x7f341466cb40, pq=0x7f33ed1ea7c0) at stream-tcp.c:4242
ssn = 0x7f31a4d070c0
#9 0x0000000000511c7c in StreamTcp (tv=0x884c4b0, p=0x28ea400,
data=0x7f341466cb40, pq=0x7f33ed1ea7c0, postpq=<optimised out>)
at stream-tcp.c:4484
stt = 0x7f341466cb40
ret = TM_ECODE_OK
#10 0x000000000051eaec in TmThreadsSlotVarRun (tv=0x884c4b0, p=0x28ea400,
slot=<optimised out>) at tm-threads.c:559
SlotFunc = 0x511b80 <StreamTcp>
r = <optimised out>
s = 0x7f33ed1ea780
extra_p = <optimised out>
#11 0x000000000050826a in TmThreadsSlotProcessPkt (p=0x28ea400,
s=0x7f33ed1ea8c0, tv=0x884c4b0) at tm-threads.h:142
r = TM_ECODE_OK
#12 ReceivePfringLoop (tv=0x884c4b0, data=0x7f34bf7cf360,
slot=<optimised out>) at source-pfring.c:338
pkt_buffer = 0x28eb158 ""
buffer_size = 1522
r = <optimised out>
packet_q_len = <optimised out>
ptv = 0x7f34bf7cf360
p = 0x28ea400
hdr = {ts = {tv_sec = 1389821302, tv_usec = 714285}, caplen = 64,
len = 64, extended_hdr = {timestamp_ns = 32,
rx_direction = 1 '\001', if_index = 6, pkt_hash = 1366978732,
tx = {bounce_interface = 27705368, reserved = 0x8},
parsed_header_len = 3, parsed_pkt = {dmac = "\000\000\000\000]A",
smac = "w[:\177\000", eth_type = 54296, vlan_id = 50643,
ip_version = 51 '3', l3_proto = 127 '\177', ip_tos = 0 '\000',
ip_src = {v6 = {__in6_u = {
__u6_addr8 = "????3\177\000\000\000??\001\000\000\000",
__u6_addr16 = {54216, 50643, 32563, 0, 49152, 422, 0, 0},
__u6_addr32 = {3318993864, 32563, 27705344, 0}}},
v4 = 3318993864}, ip_dst = {v6 = {__in6_u = {
__u6_addr8 = "\000\000\000\000\000\000\000\000\b\000\000\000\000\000\000", __u6_addr16 = {0, 0, 0, 0, 8, 0, 0, 0}, __u6_addr32 = {0, 0,
8, 0}}}, v4 = 0}, l4_src_port = 8, l4_dst_port = 0,
tcp = {flags = 0 '\000', seq_num = 0, ack_num = 0}, tunnel = {
tunnel_id = 1534558176, tunneled_proto = 58 ':',
tunneled_ip_src = {v6 = {__in6_u = {
__u6_addr8 = "\000\000\000\000\000\000\000\000?7j?4\177\000", __u6_addr16 = {0, 0, 0, 0, 14288, 49002, 32564, 0}, __u6_addr32 = {0, 0,
3211409360, 32564}}}, v4 = 0}, tunneled_ip_dst = {
v6 = {__in6_u = {
__u6_addr8 = "??\204\b\000\000\000\000??\204\b\000\000\000", __u6_addr16 = {50352, 2180, 0, 0, 50352, 2180, 0, 0}, __u6_addr32 = {
142918832, 0, 142918832, 0}}}, v4 = 142918832},
tunneled_l4_src_port = 43200, tunneled_l4_dst_port = 60702},
last_matched_plugin_id = 32563, last_matched_rule_id = 0,
offset = {eth_offset = -27264, vlan_offset = 1612,
l3_offset = 0, l4_offset = 0, payload_offset = -2776}}}}
s = <optimised out>
last_dump = 1389821302
current_time = {tv_sec = 1389821302, tv_usec = 714285}
__FUNCTION__ = "ReceivePfringLoop"
#13 0x0000000000521b5e in TmThreadsSlotPktAcqLoop (td=0x884c4b0)
at tm-threads.c:703
tv = 0x884c4b0
s = 0x7f33ed1eaa00
run = <optimised out>
r = <optimised out>
slot = 0x0
__FUNCTION__ = "TmThreadsSlotPktAcqLoop"
#14 0x00007f3a5a839e9a in start_thread ()
from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#15 0x00007f3a5a0ebccd in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#16 0x0000000000000000 in ?? ()
No symbol table info available.
More information about the Oisf-devel
mailing list