[Oisf-users] Suricata 3.0x SMTP Parsing Segfaults

Victor Julien lists at inliniac.net
Mon Jan 11 16:48:06 EST 2016


On 11-01-16 11:28, Jason Holmes wrote:
> Hi,
>
> I've been seeing segfaults in the 3.0x series (and dev-detect-v173)
> coming from the SMTP parsing code.  The only occur once every week or
> so.  I was able to get core files with Suricata 3.0rc3 and
> dev-detect-v173 compiled with "-O0 -ggdb".  I do not have the emails
> that were being processed when the segfaults occurred.  If there is any
> other information you'd like to have regarding these, please let me know.

Could you try this branch?
https://github.com/inliniac/suricata/tree/dev-smtp-fix-v0

It's essentially 3.0RC3 plus on patch.

Cheers,
Victor


>
> Thanks,
>
> --
> Jason Holmes
>
>
> 1. 3.0rc3:
>
> #0  0x00000000005db9d1 in StoreMimeHeader (state=0x0) at
> util-decode-mime.c:829
> #1  0x00000000005e0987 in MimeDecParseComplete (state=0x0) at
> util-decode-mime.c:2473
> #2  0x000000000043ec43 in SMTPProcessCommandDATA (state=0x7f5aa23c6650,
> f=0x7f59c5339750,
>      pstate=0x7f5dcd00cc60) at app-layer-smtp.c:772
> #3  0x000000000043fce3 in SMTPProcessRequest (state=0x7f5aa23c6650,
> f=0x7f59c5339750,
>      pstate=0x7f5dcd00cc60) at app-layer-smtp.c:1152
> #4  0x000000000043fdbf in SMTPParse (direction=0, f=0x7f59c5339750,
> state=0x7f5aa23c6650,
>      pstate=0x7f5dcd00cc60,
>      input=0x7f59ed132590 "\n    <TR>\r\n      <TD valign=3D\"middle\"
> style=3D\"font-family:Arial, Helvetica, sans-ser=\r\nif; font-size:11px;
> text-align:center; margin-top:10px; margin-bottom:10px;=\r\n\">XXXXXXXX
> XXX XXXXXXXXXXX | 321 "..., input_len=489, local_data=0x7f5dcc38fb50)
>      at app-layer-smtp.c:1185
> #5  0x000000000043fe68 in SMTPParseClientRecord (f=0x7f59c5339750,
> alstate=0x7f5aa23c6650,
>      pstate=0x7f5dcd00cc60,
>      input=0x7f59ed132590 "\n    <TR>\r\n      <TD valign=3D\"middle\"
> style=3D\"font-family:Arial, Helvetica, sans-ser=\r\nif; font-size:11px;
> text-align:center; margin-top:10px; margin-bottom:10px;=\r\n\">XXXXXXXX
> XXX XXXXXXXXXXX | 321 "..., input_len=489, local_data=0x7f5dcc38fb50)
>      at app-layer-smtp.c:1208
> #6  0x00000000004363b7 in AppLayerParserParse (alp_tctx=0x7f5dcc38f8a0,
> f=0x7f59c5339750,
>      alproto=3, flags=4 '\004',
>      input=0x7f59ed132590 "\n    <TR>\r\n      <TD valign=3D\"middle\"
> style=3D\"font-family:Arial, Helvetica, sans-ser=\r\nif; font-size:11px;
> text-align:center; margin-top:10px; margin-bottom:1
> 0px;=\r\n\">XXXXXXXX XXX XXXXXXXXXX | 321 "..., input_len=489) at
> app-layer-parser.c:908
> #7  0x000000000041247b in AppLayerHandleTCPData (tv=0x32f57e60,
> ra_ctx=0x7f5dcc38f3e0,
>      p=0x7f5dcc37bad0, f=0x7f59c5339750, ssn=0x7f59b4537e40,
> stream=0x7f59b4537e90,
>      data=0x7f59ed132590 "\n    <TR>\r\n      <TD valign=3D\"middle\"
> style=3D\"font-family:Arial, Helvetica, sans-ser=\r\nif; font-size:11px;
> text-align:center; margin-top:10px; margin-bottom:10px;=\r\n\">XXXXXXXX
> XXX XXXXXXXXXXX | 321 "..., data_len=489, flags=4 '\004') at
> app-layer.c:444
> #8  0x00000000005a6cdf in DoReassemble (tv=0x32f57e60,
> ra_ctx=0x7f5dcc38f3e0,
>      ssn=0x7f59b4537e40, stream=0x7f59b4537e90, seg=0x7f5dd07c9930,
> rd=0x7f5ddf7fb920,
>      p=0x7f5dcc37bad0) at stream-tcp-reassemble.c:2635
> #9  0x00000000005a7ad5 in StreamTcpReassembleAppLayer (tv=0x32f57e60,
> ra_ctx=0x7f5dcc38f3e0,
>      ssn=0x7f59b4537e40, stream=0x7f59b4537e90, p=0x7f5dcc37bad0) at
> stream-tcp-reassemble.c:3028
> #10 0x00000000005a85ed in StreamTcpReassembleHandleSegmentUpdateACK
> (tv=0x32f57e60,
>      ra_ctx=0x7f5dcc38f3e0, ssn=0x7f59b4537e40, stream=0x7f59b4537e90,
> p=0x7f5dcc37bad0)
>      at stream-tcp-reassemble.c:3404
> #11 0x00000000005a868f in StreamTcpReassembleHandleSegment (tv=0x32f57e60,
>      ra_ctx=0x7f5dcc38f3e0, ssn=0x7f59b4537e40, stream=0x7f59b4537e48,
> p=0x7f5dcc37bad0,
>      pq=0x7f5dcc38f100) at stream-tcp-reassemble.c:3432
> #12 0x00000000005966a1 in HandleEstablishedPacketToClient
> (tv=0x32f57e60, ssn=0x7f59b4537e40,
>      p=0x7f5dcc37bad0, stt=0x7f5dcc38f0f0, pq=0x7f5dcc38f100) at
> stream-tcp.c:2245
> #13 0x000000000059717e in StreamTcpPacketStateEstablished
> (tv=0x32f57e60, p=0x7f5dcc37bad0,
>      stt=0x7f5dcc38f0f0, ssn=0x7f59b4537e40, pq=0x7f5dcc38f100) at
> stream-tcp.c:2489
> #14 0x000000000059de63 in StreamTcpPacket (tv=0x32f57e60,
> p=0x7f5dcc37bad0, stt=0x7f5dcc38f0f0,
>      pq=0xb5f41370) at stream-tcp.c:4568
> #15 0x000000000059eb40 in StreamTcp (tv=0x32f57e60, p=0x7f5dcc37bad0,
> data=0x7f5dcc38f0f0,
>      pq=0xb5f41370, postpq=0x0) at stream-tcp.c:5064
> #16 0x00000000005b7d61 in TmThreadsSlotVarRun (tv=0x32f57e60,
> p=0x7f5dcc37bad0, slot=0x60d10f30)
>      at tm-threads.c:132
> #17 0x000000000058106d in TmThreadsSlotProcessPkt (tv=0x32f57e60,
> s=0x60d10f30,
>      p=0x7f5dcc37bad0) at tm-threads.h:149
> #18 0x0000000000582e37 in AFPReadFromRing (ptv=0x7f5dcc37c8e0) at
> source-af-packet.c:874
> #19 0x000000000058419f in ReceiveAFPLoop (tv=0x32f57e60,
> data=0x7f5dcc37c8e0, slot=0xc9e59c20)
>      at source-af-packet.c:1214
> #20 0x00000000005b85e1 in TmThreadsSlotPktAcqLoop (td=0x32f57e60) at
> tm-threads.c:336
> #21 0x00007f5e32df3dc5 in start_thread (arg=0x7f5ddf7fe700) at
> pthread_create.c:308
> #22 0x00007f5e3291d21d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
>
>
>
> 2. dev-detect-v173:
>
> #0  0x00000000005d39f5 in StoreMimeHeader (state=0x0) at
> util-decode-mime.c:829
> #1  0x00000000005d89ab in MimeDecParseComplete (state=0x0) at
> util-decode-mime.c:2473
> #2  0x000000000043ecf7 in SMTPProcessCommandDATA (state=0x7fa783e05c00,
> f=0x7f991f93b9c0,
>      pstate=0x7f9d0d9604f0) at app-layer-smtp.c:772
> #3  0x000000000043fd97 in SMTPProcessRequest (state=0x7fa783e05c00,
> f=0x7f991f93b9c0,
>      pstate=0x7f9d0d9604f0) at app-layer-smtp.c:1152
> #4  0x000000000043fe73 in SMTPParse (direction=0, f=0x7f991f93b9c0,
> state=0x7fa783e05c00,
>      pstate=0x7f9d0d9604f0,
>      input=0x7fae0f7fb928 "MAIL FROM:<bounceback at isrn.envergin.com>
> BODY=8BITMIME ENVID=e823099ddf1d26499d6a3357a4144167\r\nRCPT
> TO:<XXXXXX at psu.edu>\r\nDATA\r\nReceived: from (127.0.0.1) by
> isrn.envergin.com id hib19u16lt0h for <XXXX"..., input_len=1802,
> local_data=0x7fae0038f8f0)
>      at app-layer-smtp.c:1185
> #5  0x000000000043ff1c in SMTPParseClientRecord (f=0x7f991f93b9c0,
> alstate=0x7fa783e05c00,
>      pstate=0x7f9d0d9604f0,
>      input=0x7fae0f7fb928 "MAIL FROM:<bounceback at isrn.envergin.com>
> BODY=8BITMIME ENVID=e823099ddf1d26499d6a3357a4144167\r\nRCPT
> TO:<XXXXXX at psu.edu>\r\nDATA\r\nReceived: from (127.0.0.1) by
> isrn.envergin.com id hib19u16lt0h for <XXXX"..., input_len=1802,
> local_data=0x7fae0038f8f0)
>      at app-layer-smtp.c:1208
> #6  0x000000000043646b in AppLayerParserParse (alp_tctx=0x7fae0038f640,
> f=0x7f991f93b9c0,
>      alproto=3, flags=4 '\004',
>      input=0x7fae0f7fb928 "MAIL FROM:<bounceback at isrn.envergin.com>
> BODY=8BITMIME ENVID=e823099ddf1d26499d6a3357a4144167\r\nRCPT
> TO:<XXXXXX at psu.edu>\r\nDATA\r\nReceived: from (127.0.0.1) by
> isrn.envergin.com id hib19u16lt0h for <XXXX"..., input_len=1802) at
> app-layer-parser.c:908
> #7  0x00000000004124ab in AppLayerHandleTCPData (tv=0x1bdca360,
> ra_ctx=0x7fae0038f250,
>      p=0x7fae0037bad0, f=0x7f991f93b9c0, ssn=0x7fadfc3a33c0,
> stream=0x7fadfc3a3410,
>      data=0x7fae0f7fb928 "MAIL FROM:<bounceback at isrn.envergin.com>
> BODY=8BITMIME ENVID=e823099ddf1d26499d6a3357a4144167\r\nRCPT
> TO:<XXXXXX at psu.edu>\r\nDATA\r\nReceived: from (127.0.0.1) by
> isrn.envergin.com id hib19u16lt0h for <XXXX"..., data_len=1802, flags=4
> '\004') at app-layer.c:444
> #8  0x000000000059fbdb in StreamTcpReassembleAppLayer (tv=0x1bdca360,
> ra_ctx=0x7fae0038f250,
>      ssn=0x7fadfc3a33c0, stream=0x7fadfc3a3410, p=0x7fae0037bad0) at
> stream-tcp-reassemble.c:3053
> #9  0x00000000005a05ed in StreamTcpReassembleHandleSegmentUpdateACK
> (tv=0x1bdca360,
>      ra_ctx=0x7fae0038f250, ssn=0x7fadfc3a33c0, stream=0x7fadfc3a3410,
> p=0x7fae0037bad0)
>      at stream-tcp-reassemble.c:3404
> #10 0x00000000005a068f in StreamTcpReassembleHandleSegment (tv=0x1bdca360,
>      ra_ctx=0x7fae0038f250, ssn=0x7fadfc3a33c0, stream=0x7fadfc3a33c8,
> p=0x7fae0037bad0,
>      pq=0x7fae0038ef70) at stream-tcp-reassemble.c:3432
> #11 0x000000000058e6a1 in HandleEstablishedPacketToClient
> (tv=0x1bdca360, ssn=0x7fadfc3a33c0,
>      p=0x7fae0037bad0, stt=0x7fae0038ef60, pq=0x7fae0038ef70) at
> stream-tcp.c:2245
> #12 0x000000000058f17e in StreamTcpPacketStateEstablished
> (tv=0x1bdca360, p=0x7fae0037bad0,
>      stt=0x7fae0038ef60, ssn=0x7fadfc3a33c0, pq=0x7fae0038ef70) at
> stream-tcp.c:2489
> #13 0x0000000000595e63 in StreamTcpPacket (tv=0x1bdca360,
> p=0x7fae0037bad0, stt=0x7fae0038ef60,
>      pq=0x1bdca730) at stream-tcp.c:4568
> #14 0x0000000000596b40 in StreamTcp (tv=0x1bdca360, p=0x7fae0037bad0,
> data=0x7fae0038ef60,
>      pq=0x1bdca730, postpq=0x0) at stream-tcp.c:5064
> #15 0x00000000005afd85 in TmThreadsSlotVarRun (tv=0x1bdca360,
> p=0x7fae0037bad0, slot=0x1bdca5b0)
>      at tm-threads.c:132
> #16 0x000000000057906d in TmThreadsSlotProcessPkt (tv=0x1bdca360,
> s=0x1bdca5b0,
>      p=0x7fae0037bad0) at tm-threads.h:149
> #17 0x000000000057ae37 in AFPReadFromRing (ptv=0x7fae0037c8f0) at
> source-af-packet.c:874
> #18 0x000000000057c19f in ReceiveAFPLoop (tv=0x1bdca360,
> data=0x7fae0037c8f0, slot=0x1bdca470)
>      at source-af-packet.c:1214
> #19 0x00000000005b0605 in TmThreadsSlotPktAcqLoop (td=0x1bdca360) at
> tm-threads.c:336
> #20 0x00007fae3dc18dc5 in start_thread (arg=0x7fae0f7fe700) at
> pthread_create.c:308
> #21 0x00007fae3d74221d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Oisf-users mailing list