[Bro-Dev] #961: Large Memory Allocation
Bro Tracker
bro at tracker.bro.org
Sun Mar 10 12:24:12 PDT 2013
#961: Large Memory Allocation
------------------------+---------------------
Reporter: jbaines | Type: Problem
Status: new | Priority: Medium
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+---------------------
'''Version''': Master (0075973249906ce1374948b567d261395f99220e)
'''Description''': A wireshark fuzz capture causes a near max uint
allocation resulting in an out of memory error.
'''File''':
https://www.wireshark.org/download/automated/captures/fuzz-2007-12-18-26236.pcap
'''Output'''
''Command line''
{{{
./bro -C -r fuzz-2007-12-18-26236.pcap
out of memory in new.
1075754676.257579 fatal error: out of memory in new.
}}}
''Valgrind''
{{{
==32162== Warning: silly arg (-9) to __builtin_vec_new()
**32162** new/new[] failed and should throw an exception, but Valgrind
**32162** cannot throw exceptions and so is aborting instead. Sorry.
==32162== at 0x402A02C: ??? (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==32162== by 0x402B2A9: operator new[](unsigned int) (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==32162== by 0x83964D7: DataBlock::DataBlock(unsigned char const*, int,
int, DataBlock*, DataBlock*) (Reassem.cc:23)
==32162== by 0x8396721: Reassembler::NewBlock(double, int, int,
unsigned char const*) (Reassem.cc:85)
==32162== by 0x831EA53: FragReassembler::AddFragment(double, IP_Hdr
const*, unsigned char const*) (Frag.cc:148)
==32162== by 0x831E6AF: FragReassembler::FragReassembler(NetSessions*,
IP_Hdr const*, unsigned char const*, HashKey*, double) (Frag.cc:63)
==32162== by 0x83C77A5: NetSessions::NextFragment(double, IP_Hdr
const*, unsigned char const*) (Sessions.cc:844)
==32162== by 0x83C6089: NetSessions::DoNextPacket(double, pcap_pkthdr
const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack
const*) (Sessions.cc:417)
==32162== by 0x83C57AD: NetSessions::NextPacket(double, pcap_pkthdr
const*, unsigned char const*, int, PacketSortElement*) (Sessions.cc:238)
==32162== by 0x83C55AC: NetSessions::DispatchPacket(double, pcap_pkthdr
const*, unsigned char const*, int, PktSrc*, PacketSortElement*)
(Sessions.cc:186)
==32162== by 0x8374B67: net_packet_dispatch(double, pcap_pkthdr const*,
unsigned char const*, int, PktSrc*, PacketSortElement*) (Net.cc:353)
==32162== by 0x8374DA1: net_packet_arrival(double, pcap_pkthdr const*,
unsigned char const*, int, PktSrc*) (Net.cc:416)
}}}
'''The Problem'''
The problem is quite simply the subtraction at Frag.cc:148. The
subtraction can cause a rollover when hdr_len > len which eventually
causes a very large allocation attempt.
'''The Fix'''
Attached is a simple fix that checks if hdr_len > len and returns.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/961>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list