[Oisf-devel] [COMMIT] OISF branch, master-4.0.x, updated. suricata-4.0.3-49-g2b9d242

OISF Git noreply at openinfosecfoundation.org
Mon Feb 12 13:36:44 UTC 2018


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master-4.0.x has been updated
       via  2b9d24203373ceb13331b74255f6297334914fac (commit)
       via  660c1de7ba7657e32e89cea0b16d51b265eaeb6e (commit)
       via  97ebd3b05acaab3ed0d0e1430d554443c023715f (commit)
       via  8f203184817bd47d4a172c1fd4e9b04cb86234b9 (commit)
       via  c5e345f5b8e18e7367f39c32b8722daecd319ddb (commit)
       via  e6936c34fa8a80bc74f70fc8f3ef4e1701394656 (commit)
       via  e238277830eaf502abe632417badb9297ed32100 (commit)
       via  a83c9a376d0168ba322bbe1986d45bc723383e83 (commit)
       via  06c47a7bd79cdb007e009d3dedd733289d8b022a (commit)
       via  10b53ad597286b73eb1f7b99fe8de12a3653c612 (commit)
       via  d2b7b08a0f4e022d87096b71fdbee2716edf502e (commit)
       via  9fec31fb0fd49a4671004596e610debeda36a62c (commit)
       via  95acbf4a58fbce65129519b4be148ef31b3fe1b7 (commit)
       via  7fad49cb04ece47aaddd331ac4d9d6f758bc1f91 (commit)
       via  f2ba14a98b05347a850920e117dea946b2b40f81 (commit)
       via  7f3d623abc4837ecd418ca5c508a045061791701 (commit)
       via  32dc16f085f9e838d71a4d0bfc46ce85374b7b51 (commit)
       via  868acb830121018c368229c7ac605f2e7425f431 (commit)
       via  8623b52db4b3435931ea8b6249577390c00746e7 (commit)
       via  316788ad5c80476d3e945fe6bc9c3b1e26c2f754 (commit)
       via  82d66b8e94cb84bede6175c8738364a07627b511 (commit)
       via  dbd925cd236d711d52116ee368e8a6c78f6cf3c9 (commit)
       via  40e2257f21eff5183d70a64df2a89e564d39f239 (commit)
       via  b11897921f7a03076812c7f9efe8679dfc39ef2a (commit)
       via  fcb81d139098eb0326872c2cf2b9f5835b9ec7db (commit)
       via  0cc3ba3e70222ef7c2d4163eb50f7f8f0ffb45c2 (commit)
       via  dc10f085ef7d8c3d28737ab738f3b02fbbe59ebe (commit)
       via  445f2f2bc5d13f0790353eed90cd5177676ce7c3 (commit)
       via  6fe3620bff3fbef2412b92df5769d8200c4cd977 (commit)
       via  0a1298696d64f62255fe770f61bac0e5a034eabb (commit)
       via  68ee43b9e62755088fb2ffb00d4402dcd5ce9d81 (commit)
       via  1a1bfc734c2a43bacc36829313576e49b58577bf (commit)
       via  cff8b32a0940e25ee246fe1931a643c7186ed90b (commit)
       via  51188e44f949a06812318e599f850bb42bd0affa (commit)
       via  ade46544ca19c04865b6fecbce2ec848702606e2 (commit)
       via  61403bfcc972befcf18f5b1e2816e11db8fcc214 (commit)
       via  a966be1e113235ef44380622240baca7a8471370 (commit)
       via  ff350d3e27deeb2c65f2f1a12fa8db0058e6c432 (commit)
       via  cacd8d11588463b34a345234d334d1d1eaf7aed0 (commit)
       via  bbe21d2b37b2ea5dd25010f56501b139391a9b2e (commit)
       via  49a74cc35cd71c417b8ea5d8d8c1a7d25feb0104 (commit)
       via  9e58f44370942858728e0b05f2d085362841c45f (commit)
       via  0b15f2f78279f8b8d6ec0875e852ae08a1ccbb61 (commit)
       via  9540efb9d69f6718c221f3ed0b7f22032e768d7c (commit)
       via  08560016cc476906d8b6c8f5eecfa3ee26ceb573 (commit)
       via  b8947c6022d89af986d84b82b9ba5d3f8e21b6a6 (commit)
       via  d747d566cc84489266095214a73bf707a1b78d4c (commit)
       via  b3c576abbb9732ac4a071aa4f52ee4935be1ee7c (commit)
       via  48b449448087edd409c59c20795fb7a7ce6c230b (commit)
      from  a5899fb85529b89ffd184d7c55dff57bc55cc5e9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2b9d24203373ceb13331b74255f6297334914fac
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Jan 16 11:54:39 2018 +0100

    thresholds: fix issues with host based thresholds
    
    The flow manager thread (that also runs the host cleanup code) would
    sometimes free a host before it's thresholds are timed out. This would
    lead to misdetection or too many alerts.
    
    This was mostly (only?) visible on slower systems. And was caused by a
    mismatch between time concepts of the async flow manager thread and the
    packet threads, resulting in the flow manager using a timestamp that
    was before the threshold entry creation ts. This would lead to an
    integer underflow in the timeout check, leading to a incorrect conclusion
    that the threshold entry was timed out.
    
    To address this,  check if the 'check' timestamp is not before the creation
    timestamp.

commit 660c1de7ba7657e32e89cea0b16d51b265eaeb6e
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Jan 24 16:37:27 2018 +0100

    stream: set event for suspected data injection during 3whs
    
    This rule will match on the STREAM_3WHS_ACK_DATA_INJECT, that is
    set if we're:
    - in IPS mode
    - get a data packet from the server
    - that matches the exact SEQ/ACK expectations for the 3whs
    
    The action of the rule is set to drop as the stream engine will drop.
    So the rule action is actually not needed, but for consistency it
    is drop.

commit 97ebd3b05acaab3ed0d0e1430d554443c023715f
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Jan 24 15:59:57 2018 +0100

    stream: handle data on incomplete 3whs
    
    If we have only seen the SYN and SYN/ACK of the 3whs, accept from
    server data if it perfectly matches the SEQ/ACK expectations. This
    might happen in 2 scenarios:
    
    1. packet loss: if we lost the final ACK, we may get data that fits
       this pattern (e.g. a SMTP EHLO message).
    
    2. MOTS/MITM packet injection: an attacker can send a data packet
       together with its SYN/ACK packet. The client due to timing almost
       certainly gets the SYN/ACK before considering the data packet,
       and will respond with the final ACK before processing the data
       packet.
    
    In IDS mode we will accept the data packet and rely on the reassembly
    engine to warn us if the packet was indeed injected.
    
    In IPS mode we will drop the packet. In the packet loss case we will
    rely on retransmissions to get the session back up and running. For
    the injection case we blocked this injection attempt.

commit 8f203184817bd47d4a172c1fd4e9b04cb86234b9
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Jan 24 15:59:14 2018 +0100

    stream: still inspect packets dropped by stream
    
    The detect engine would bypass packets that are set as dropped. This
    seems sane, as these packets are going to be dropped anyway.
    
    However, it lead to the following corner case: stream events that
    triggered the drop could not be matched on the rules. The packet
    with the event wouldn't make it to the detect engine due to the bypass.
    
    This patch changes the logic to not bypass DROP packets anymore.
    Packets that are dropped by the stream engine will set the no payload
    inspection flag, so avoid needless cost.

commit c5e345f5b8e18e7367f39c32b8722daecd319ddb
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Feb 6 10:35:05 2018 +0100

    nfs: remove old test code

commit e6936c34fa8a80bc74f70fc8f3ef4e1701394656
Author: Victor Julien <victor at inliniac.net>
Date:   Mon Jan 29 11:26:01 2018 +0100

    pcre: don't leak memory in data extraction

commit e238277830eaf502abe632417badb9297ed32100
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 17:55:17 2018 +0100

    rust/nfs: explicitly handle GAPs from C
    
    It seems that Rust optimizes this code in such a way that it
    passes the null ptr along as real data.
    
        if buf.as_ptr().is_null() && input_len > 0 {

commit a83c9a376d0168ba322bbe1986d45bc723383e83
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 15:31:35 2018 +0100

    rust/filetracker: if file API return error, trunc file

commit 06c47a7bd79cdb007e009d3dedd733289d8b022a
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 14:56:05 2018 +0100

    rust/nfs: fix read reply handling
    
    READ replies with large data chunks are processed partially to avoid
    queuing too much data. When the final chunk was received however, the
    start of the chunk would already tag the transaction as 'done'. The
    more aggressive tx freeing that was recently merged would cause this
    tx to be freed before the rest of the in-progress chunk was done.
    
    This patch delays the tagging of the tx until the final data has been
    received.

commit 10b53ad597286b73eb1f7b99fe8de12a3653c612
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 11:02:33 2018 +0100

    file: minor cleanups

commit d2b7b08a0f4e022d87096b71fdbee2716edf502e
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 10:32:13 2018 +0100

    file: use enum for state
    
    Makes debugging easier.

commit 9fec31fb0fd49a4671004596e610debeda36a62c
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 10:05:55 2018 +0100

    rust/file: handle file open errors

commit 95acbf4a58fbce65129519b4be148ef31b3fe1b7
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 09:56:37 2018 +0100

    rust/file: change return type for FileOpenFileWithId
    
    Make it int so we can easily check it in Rust. No consumer used the
    File pointer that was returned before anyway.

commit 7fad49cb04ece47aaddd331ac4d9d6f758bc1f91
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jan 25 09:47:02 2018 +0100

    rust/core: comment cleanup

commit f2ba14a98b05347a850920e117dea946b2b40f81
Author: Victor Julien <victor at inliniac.net>
Date:   Mon Jan 29 14:16:01 2018 +0100

    rust: don't gen C headers if Rust isn't enabled

commit 7f3d623abc4837ecd418ca5c508a045061791701
Author: Martin Natano <martin.natano at radarservices.com>
Date:   Mon Oct 30 16:03:25 2017 +0100

    app-layer-htp, stream-tcp: prevent modulo bias in RandomGetWrap()
    
    RAND_MAX is not guaranteed to be a divisor of ULONG_MAX, so take the
    necessary precautions to get unbiased random numbers. Although the
    bias might be negligible, it's not advisable to rely on it.

commit 32dc16f085f9e838d71a4d0bfc46ce85374b7b51
Author: Alexander Gozman <a.gozman at securitycode.ru>
Date:   Thu Jan 18 09:05:15 2018 +0000

    af_packet: bug #2422.
    
    This commit fixes a leak of mmap'ed ring buffer that was not
    unmaped when a socket was closed. In addition, the leak could
    break an inline channel on certain configurations.
    
    Also slightly changed AFPCreateSocket():
    1. If an interface is not up, it does not try to apply any
       settings to a socket. This reduces a number of error messages
       while an interface is down.
    2. Interface is considered active if both IFF_UP and IFF_RUNNING
       are present.

commit 868acb830121018c368229c7ac605f2e7425f431
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Jan 17 13:04:54 2018 +0100

    stream/midstream: be more liberal with window
    
    Use the wscale setting when updating the window, even if it's very
    high.

commit 8623b52db4b3435931ea8b6249577390c00746e7
Author: Maurizio Abba <mabba at lastline.com>
Date:   Thu Jan 11 14:34:37 2018 +0000

    time: Force init cached_minute_start array
    
    In offline mode, if the starting timestamp is 0 suricata will never
    initialize cached_minute_start array. This cause the timestamp to be
    ignored when needed (e.g., in fast.log).
    
    This commit will force the initialization of this array.

commit 316788ad5c80476d3e945fe6bc9c3b1e26c2f754
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Oct 17 10:19:00 2017 +0200

    rust/nfs: improve file close handling

commit 82d66b8e94cb84bede6175c8738364a07627b511
Author: Nick Price <nick at spun.io>
Date:   Thu Dec 28 11:11:17 2017 -0500

    rust/nfs: don't panic on malformed NFS traffic
    
    Instead set events.

commit dbd925cd236d711d52116ee368e8a6c78f6cf3c9
Author: Eric Leblond <eric at regit.org>
Date:   Mon Jan 1 19:03:24 2018 +0100

    af-packet: free ring buffer at exit

commit 40e2257f21eff5183d70a64df2a89e564d39f239
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Dec 21 12:07:46 2017 +0100

    scan-build: fix memleak warning in port parsing

commit b11897921f7a03076812c7f9efe8679dfc39ef2a
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Dec 21 12:00:28 2017 +0100

    detect/tos: fix memleak in error path

commit fcb81d139098eb0326872c2cf2b9f5835b9ec7db
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Dec 21 11:00:28 2017 +0100

    scan-build: fix warning in radix tree

commit 0cc3ba3e70222ef7c2d4163eb50f7f8f0ffb45c2
Author: Jason Ish <ish at unx.ca>
Date:   Tue Dec 19 15:44:17 2017 -0600

    eve.flow: remove "hi" log message

commit dc10f085ef7d8c3d28737ab738f3b02fbbe59ebe
Author: Jason Ish <ish at unx.ca>
Date:   Tue Dec 19 15:43:50 2017 -0600

    eve.netflow: remove "hi" log message

commit 445f2f2bc5d13f0790353eed90cd5177676ce7c3
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Dec 20 09:30:42 2017 +0100

    decode/vlan: don't consider ARP 'unknown'

commit 6fe3620bff3fbef2412b92df5769d8200c4cd977
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Dec 20 08:57:29 2017 +0100

    pfring: add warning for stripped vlan header case
    
    According to PF_RING upstream the vlan header should never be stripped
    from the packet PF_RING feeds to Suricata. But upstream also indicated
    keeping the check would be a good "safety check".
    
    So in addition to the check, add a warning that warns once (per thread
    for implementation simplicity) if the vlan hdr does appear to be stripped
    after all.

commit 0a1298696d64f62255fe770f61bac0e5a034eabb
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Dec 19 20:17:39 2017 +0100

    pfring: fix vlan handling issues
    
    When Suricata was monitoring traffic with a single vlan layer, the stats
    and output instead showed 2. This was caused by the raw packets PF_RING
    feeds Suricata would hold the vlan header, but the code assumed that
    the header was stripped and the vlan_id passed to Suricata through
    PF_RING's extended_hdr.parsed_pkt.
    
    This patch adds the following logic: Check vlan id from the parser packet
    PF_RING prepared. PF_RING sets the vlan_id based on its own parsing or
    based on the hardware offload. It gives no indication on where the vlan_id
    came from, so we rely on the vlan_offset field. If it's 0, we assume the
    PF_RING parser did not see the vlan header and got it from the hardware
    offload. In this case we will use this information directly, as we won't
    get a raw vlan header later. If PF_RING did set the offset, we do the
    parsing in the Suricata decoder so that we have full control.
    
    PF_RING *should* put back the vlan header in all cases, and also set the
    vlan_offset field, but as a extra precaution keep the check described
    above.
    
    Bug #2355.

commit 68ee43b9e62755088fb2ffb00d4402dcd5ce9d81
Author: Pierre Chifflier <chifflier at wzdftpd.net>
Date:   Mon Mar 17 18:59:35 2014 +0100

    Hash table: free bucker in case of insertion error
    
    This fixes a warning raised by cppcheck.

commit 1a1bfc734c2a43bacc36829313576e49b58577bf
Author: Pierre Chifflier <chifflier at wzdftpd.net>
Date:   Fri Mar 14 18:59:11 2014 +0100

    Hash table: check hash array size when inserting element
    
    If the hash function returns an index greater than the array size of the
    hash table, the index is not checked. Even if this is the responsibility
    of the caller, add a safety check to avoid errors.

commit cff8b32a0940e25ee246fe1931a643c7186ed90b
Author: Jason Ish <ish at unx.ca>
Date:   Mon Dec 18 06:58:18 2017 -0600

    dns-log: don't register if HAVE_RUST
    
    Log just one notice message when attempting to register
    this logger with HAVE_RUST, instead of logging on
    every attempt to output a DNS record.
    
    Issue:
    https://redmine.openinfosecfoundation.org/issues/2365

commit 51188e44f949a06812318e599f850bb42bd0affa
Author: Jason Ish <ish at unx.ca>
Date:   Mon Dec 18 06:46:17 2017 -0600

    rust/dns - convert more type values to text
    
    Issue:
    https://redmine.openinfosecfoundation.org/issues/2364
    
    Convert more record type and errr code values to text.
    Remove duplicate type declarations.

commit ade46544ca19c04865b6fecbce2ec848702606e2
Author: Andreas Herz <andi at geekosphere.org>
Date:   Thu Dec 14 01:10:33 2017 +0100

    detect-engine: add missing mutex unlock

commit 61403bfcc972befcf18f5b1e2816e11db8fcc214
Author: Andreas Herz <andi at geekosphere.org>
Date:   Thu Dec 14 00:59:30 2017 +0100

    rule-reload: fix possible hangup with SIGUSR2
    
    In some cases the rule reload could hang. The pending USR2 signals will
    be recognized even with the <2 check. Also the SCLogWarning shouldn't be
    used in the handler (see Warning about SCLog* API above in the code).

commit a966be1e113235ef44380622240baca7a8471370
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Dec 6 22:54:31 2017 +0100

    doc: initial suricata-update page

commit ff350d3e27deeb2c65f2f1a12fa8db0058e6c432
Author: Victor Julien <victor at inliniac.net>
Date:   Wed Dec 13 10:28:19 2017 +0100

    app-layer/counters: check counter id
    
    Check counter id before updating a counter. In case of a disabled
    parser with the protocol detection enable, the id can be 0. In
    debug mode this would lead to a BUG_ON.

commit cacd8d11588463b34a345234d334d1d1eaf7aed0
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Dec 5 15:36:22 2017 +0100

    qa: add more drmemory suppressions for hyperscan

commit bbe21d2b37b2ea5dd25010f56501b139391a9b2e
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Dec 7 17:47:03 2017 +0100

    output: don't deadlock on log reopen failure
    
    If output log reopen fails, don't try to output the error. This would
    lead to a deadlock as reopen was called from a SCLogMessage call. This
    call already held the output lock.
    
    Bug #2306.

commit 49a74cc35cd71c417b8ea5d8d8c1a7d25feb0104
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Mon Dec 18 14:49:38 2017 +0000

    Conf: Multipe NULL-pointer dereferences in PostConfLoadedSetup
    
    Multiple NULL-pointer dereferences after ConfGet in PostConfLoadedSetup can cause suricata to terminate with segfaults. The ASAN-output:
    
    ASAN:DEADLYSIGNAL =================================================================
    5734ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1a9a3967cc bp 0x7ffdff033ad0 sp 0x7ffdff033250 T0)
     0 0x7f1a9a3967cb (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x447cb)
     1 0x55ba65f66f27 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2652
     2 0x55ba65f6870e in main /root/suricata-1/src/suricata.c:2898
     3 0x7f1a96aeb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
     4 0x55ba65af9039 in _start (/usr/local/bin/suricata+0xc8039)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x447cb)
    
    This commit fixes Bug #2370 by replacing ConfGet by ConfGetValue

commit 9e58f44370942858728e0b05f2d085362841c45f
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Sun Dec 17 22:15:27 2017 +0000

    Conf: Multipe NULL-pointer dereferences after ConfGetBool in StreamTcpInitConfig
    
    There are multiple NULL-pointer dereferences after calling ConfGetBool in StreamTcpInitConfig. ConfGetBool calls ConfGet which doesn't check the vptr-argument. This is a sample ASAN-output:
    
    1453ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2969b83a28 bp 0x7ffdbf613a90 sp 0x7ffdbf613210 T0)
     0 0x7f2969b83a27 in strcasecmp (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x51a27)
     1 0x564185accefd in ConfValIsTrue /root/suricata-1/src/conf.c:559
     2 0x564185accb4f in ConfGetBool /root/suricata-1/src/conf.c:512
     3 0x564185dcbe05 in StreamTcpInitConfig /root/suricata-1/src/stream-tcp.c:381
     4 0x564185e21a88 in PreRunInit /root/suricata-1/src/suricata.c:2264
     5 0x564185e24d2c in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2763
     6 0x564185e2570e in main /root/suricata-1/src/suricata.c:2898
     7 0x7f29662cb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
     8 0x5641859b6039 in _start (/usr/local/bin/suricata+0xc8039)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x51a27) in strcasecmp
    1453ABORTING
    
    This commit replaces ConfGet by ConfGetValue in ConfGetBool. This does not only fix Bug #2368 but might also fix others too.

commit 0b15f2f78279f8b8d6ec0875e852ae08a1ccbb61
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Sun Dec 17 21:54:15 2017 +0000

    Conf: Multipe NULL-pointer dereferences in HostInitConfig
    
    Multiple NULL-pointer dereferences after ConfGet in HostInitConfig can cause suricata to terminate with segfaults. The ASAN-output:
    
    ==29747==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff937904646 bp
        0 0x7ff937904645 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80645)
        1 0x7ff93b146eec  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3beec)
        2 0x5618387c86a3 in HostInitConfig /root/suricata-1/src/host.c:174
        3 0x56183893eccb in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2752
        4 0x56183893f70e in main /root/suricata-1/src/suricata.c:2898
        5 0x7ff9378a42b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
        6 0x5618384d0039 in _start (/usr/local/bin/suricata+0xc8039)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x80645) in strlen
    
    This commit fixes Bug #2367

commit 9540efb9d69f6718c221f3ed0b7f22032e768d7c
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Mon Dec 11 20:20:00 2017 +0000

    conf: multiple NULL-pointer dereferences in StreamTcpInitConfig
    
    There are several NULL-pointer derefs in StreamTCPInitConfig. All of them happen because ConfGet returns 1 even if the value is NULL(due to misconfiguration for example).
    This commit introduces a new function "ConfGetValue". It adds return values for NULL-pointer to ConfGet and could be used as a replacement for ConfGet.
    
    Note: Simply modify ConfGet might not be a good idea, because there are some places where ConfGet should return 1 even if "value" is NULL. For example if ConfGet should get a Config-Leave in the yaml-hierarchy.
    
    Bug: 2354

commit 08560016cc476906d8b6c8f5eecfa3ee26ceb573
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Sat Dec 9 13:18:49 2017 +0000

    conf: multiple NULL-pointer dereferences in FlowInitConfig
    
    This commit fixes multiple NULL-pointer dereferences in FlowInitConfig after reading in config-values(flow.hash-size, flow.prealloc and flow.memcap) for flow. Here is a sample ASAN-output:
    
    =================================================================
    ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fea73456646 bp 0x7fffd70e1ba0 sp 0x7fffd70e1328 T0)
    0 0x7fea73456645 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80645)
    1 0x7fea76c98eec (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3beec)
    2 0x5643efb4c205 in FlowInitConfig /root/suricata-1/src/flow.c:455
    3 0x5643efcd1751 in PreRunInit /root/suricata-1/src/suricata.c:2247
    4 0x5643efcd49f4 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2748
    5 0x5643efcd5402 in main /root/suricata-1/src/suricata.c:2884
    6 0x7fea733f62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    7 0x5643ef8761a9 in _start (/usr/local/bin/suricata+0xc51a9)
    
    Ticketno: Bug #2349

commit b8947c6022d89af986d84b82b9ba5d3f8e21b6a6
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Fri Dec 8 22:01:38 2017 +0000

    conf: use of NULL-pointer in DetectLoadCompleteSigPath
    
    The "sig_file" argument of DetectLoadCompleteSigPath() is not checked for NULL-values. If this argument is NULL a SEGV occurs because of a dereferenced NULL-pointer in strlen in PathIsAbsolute. This commit fixes bug #2347. Here is the ASAN-output:
    
    ==17170==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd1afa00646 bp 0x7ffe8398e6d0 sp 0x7ffe8398de58 T0)
        0 0x7fd1afa00645 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80645)
        1 0x7fd1b3242eec  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3beec)
        2 0x5561c8cddf7f in PathIsAbsolute /root/suricata-1/src/util-path.c:40
        3 0x5561c8cddfea in PathIsRelative /root/suricata-1/src/util-path.c:65
        4 0x5561c89275e4 in DetectLoadCompleteSigPath /root/suricata-1/src/detect.c:264
        5 0x5561c8929e75 in SigLoadSignatures /root/suricata-1/src/detect.c:486
        6 0x5561c8c0f2b3 in LoadSignatures /root/suricata-1/src/suricata.c:2419
        7 0x5561c8c1051d in PostConfLoadedDetectSetup /root/suricata-1/src/suricata.c:2550
        8 0x5561c8c12424 in main /root/suricata-1/src/suricata.c:2887
        9 0x7fd1af9a02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
        10 0x5561c87b31a9 in _start (/usr/local/bin/suricata+0xc51a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x80645) in strlen

commit d747d566cc84489266095214a73bf707a1b78d4c
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Fri Dec 8 21:39:11 2017 +0000

    conf: NULL-pointer dereference in ConfUnixSocketIsEnable
    
    The value for the configuration-option "unix-command.enabled" is not properly checked in ConfUnixSocketIsEnable. This causes a NULL-pointer dereference in strcmp. This commit fixes bug #2346. The ASAN-output looks like:
    
    ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f03b69737cc bp 0x7ffcef322c10 sp 0x7ffcef322390 T0)
    0 0x7f03b69737cb (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x447cb)
    1 0x5617a76d3f55 in ConfUnixSocketIsEnable /root/suricata-1/src/util-conf.c:104
    2 0x5617a741b6e7 in DetectEngineMultiTenantSetup /root/suricata-1/src/detect-engine.c:2447
    3 0x5617a769e0c3 in PostConfLoadedDetectSetup /root/suricata-1/src/suricata.c:2527
    4 0x5617a76a0424 in main /root/suricata-1/src/suricata.c:2887
    5 0x7f03b30c82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    6 0x5617a72411a9 in _start (/usr/local/bin/suricata+0xc51a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x447cb

commit b3c576abbb9732ac4a071aa4f52ee4935be1ee7c
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Fri Dec 8 21:05:29 2017 +0000

    conf: Memory-leak in DetectAddressTestConfVars
    
    There is a memory-leak in DetectAddressTestConfVars. If the programm takes the "goto error"-path, the pointers gh and ghn will not be freed. This commit fixes bug #2345. Here is the ASAN-output:
    
    =================================================================
    ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 24 byte(s) in 1 object(s) allocated from:
    0 0x7f4347cb1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    1 0x55fe1fc8dcfc in DetectAddressHeadInit /root/suricata-1/src/detect-engine-address.c:1534
    2 0x55fe1fc8c50a in DetectAddressTestConfVars /root/suricata-1/src/detect-engine-address.c:1306
    3 0x55fe1ff356bd in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2696
    4 0x55fe1ff365eb in main /root/suricata-1/src/suricata.c:2884
    5 0x7f43443892b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    
    Direct leak of 24 byte(s) in 1 object(s) allocated from:
    0 0x7f4347cb1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    1 0x55fe1fc8dcfc in DetectAddressHeadInit /root/suricata-1/src/detect-engine-address.c:1534
    2 0x55fe1fc8c524 in DetectAddressTestConfVars /root/suricata-1/src/detect-engine-address.c:1310
    3 0x55fe1ff356bd in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2696
    4 0x55fe1ff365eb in main /root/suricata-1/src/suricata.c:2884
    5 0x7f43443892b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    
    SUMMARY: AddressSanitizer: 48 byte(s) leaked in 2 allocation(s).

commit 48b449448087edd409c59c20795fb7a7ce6c230b
Author: Wolfgang Hotwagner <code at feedyourhead.at>
Date:   Wed Dec 6 11:12:42 2017 +0000

    conf: stack-based buffer-overflow in ParseFilename
    
    There is a stack-based buffer-overflow in ParseFilename. Since the length of "outputs.pcap-log.filename" is not checked and the destination buffer "str" has a fixed length of 512 bytes, a buffer overflow happens with long filenames. An attacker could exploit this for code execution if the configuration-file is not protected properly. This commit fixes ticket #2335
    
    This is what the asan-output looks like:
    
    ~/suricata-1/src# suricata -T -c ./suricata.yaml
    [27871] 3/12/2017 -- 20:48:13 - (suricata.c:1876) <Info> (ParseCommandLine) -- Running suricata under test mode
    [27871] 3/12/2017 -- 20:48:13 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f3fea60b)
    =================================================================
    ==27871==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbe9d75e0 at pc 0x55897b5f935f bp 0x7fffbe9d72b0 sp 0x7fffbe9d72a8
    WRITE of size 1 at 0x7fffbe9d75e0 thread T0 (Suricata-Main)
        0 0x55897b5f935e in ParseFilename /root/suricata-1/src/log-pcap.c:895
        1 0x55897b5fb173 in PcapLogInitCtx /root/suricata-1/src/log-pcap.c:985
        2 0x55897b6af103 in RunModeInitializeOutputs /root/suricata-1/src/runmodes.c:752
        3 0x55897b72c6b5 in PreRunPostPrivsDropInit /root/suricata-1/src/suricata.c:2263
        4 0x55897b730416 in main /root/suricata-1/src/suricata.c:2898
        5 0x7f947f6db2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
        6 0x55897b2d4c19 in _start (/usr/local/bin/suricata+0xc4c19)
    
    Address 0x7fffbe9d75e0 is located in stack of thread T0 (Suricata-Main) at offset 672 in frame
        0 0x55897b5f7fcc in ParseFilename /root/suricata-1/src/log-pcap.c:836
    
      This frame has 3 object(s):
        [32, 104) 'toks'
        [160, 672) 'str' <== Memory access at offset 672 overflows this variable
        [704, 2752) '_sc_log_msg'
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /root/suricata-1/src/log-pcap.c:895 in ParseFilename
    Shadow bytes around the buggy address:
      0x100077d32e60: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
      0x100077d32e70: 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
      0x100077d32e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100077d32e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100077d32ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100077d32eb0: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
      0x100077d32ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100077d32ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100077d32ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100077d32ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100077d32f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==27871==ABORTING

-----------------------------------------------------------------------

Summary of changes:
 doc/userguide/rule-management/index.rst            |   1 +
 doc/userguide/rule-management/suricata-update.rst  | 117 +++++++++++++++++
 .../suricata-update/suricata-update.png            | Bin 0 -> 65167 bytes
 qa/drmemory.suppress                               |  60 ++++++---
 rules/stream-events.rules                          |   7 +-
 rust/Makefile.am                                   |  11 +-
 rust/src/core.rs                                   |   9 +-
 rust/src/dns/dns.rs                                |  32 +++--
 rust/src/dns/log.rs                                |  94 +++++++++++---
 rust/src/dns/lua.rs                                |   2 +-
 rust/src/dns/parser.rs                             |  12 +-
 rust/src/filecontainer.rs                          |   5 +-
 rust/src/filetracker.rs                            |  31 +++--
 rust/src/nfs/nfs.rs                                | 140 +++++++++++----------
 src/app-layer-htp.c                                |  10 +-
 src/app-layer-nfs-tcp.c                            |  16 ++-
 src/app-layer.c                                    |  14 ++-
 src/conf.c                                         |  46 ++++++-
 src/conf.h                                         |   1 +
 src/decode-events.c                                |   1 +
 src/decode-events.h                                |   1 +
 src/decode-vlan.c                                  |   2 +
 src/detect-engine-address.c                        |  19 ++-
 src/detect-engine-port.c                           |   2 +-
 src/detect-engine-threshold.c                      |   5 +-
 src/detect-engine.c                                |   1 +
 src/detect-pcre.c                                  |  10 +-
 src/detect-tos.c                                   |  11 +-
 src/detect.c                                       |  10 +-
 src/flow.c                                         |  15 +++
 src/host.c                                         |   6 +-
 src/log-dnslog.c                                   |  10 +-
 src/log-pcap.c                                     |  11 +-
 src/output-json-flow.c                             |   1 -
 src/output-json-netflow.c                          |   1 -
 src/runmodes.c                                     |   6 +
 src/rust.h                                         |   2 +-
 src/source-af-packet.c                             |  78 +++++++-----
 src/source-pfring.c                                |  30 ++++-
 src/stream-tcp.c                                   |  79 +++++++++---
 src/suricata.c                                     |   9 +-
 src/util-conf.c                                    |   5 +
 src/util-debug.c                                   |  29 +++--
 src/util-error.c                                   |   1 +
 src/util-error.h                                   |   3 +-
 src/util-file.c                                    |  22 ++--
 src/util-file.h                                    |   4 +-
 src/util-hash.c                                    |  12 ++
 src/util-lua-common.c                              |   8 ++
 src/util-radix-tree.c                              |   2 +
 src/util-time.c                                    |  18 ++-
 51 files changed, 756 insertions(+), 266 deletions(-)
 create mode 100644 doc/userguide/rule-management/suricata-update.rst
 create mode 100644 doc/userguide/rule-management/suricata-update/suricata-update.png


hooks/post-receive
-- 
OISF


More information about the Oisf-devel mailing list