[netsa-tools-discuss] yaf 2.12.1 segfault with SMTP and uniflow
Łukasz Rząsik
lukasz.rzasik at gmail.com
Tue Sep 7 06:54:29 EDT 2021
Hello,
I think I've encountered a bug when using the latest version of yaf 2.12.1.
yaf causes a segmentation fault when processing SMTP traffic in uniflow
mode.
This is the command line used to run yaf:
/usr/bin/yaf -i bond0 --live pcap -o 127.0.0.1 --ipfix tcp --ipfix-port
4739 --stats 10 --max-payload 1024 --plugin-name=/usr/lib/yaf/
dpacketplugin.la,/usr/lib/yaf/dhcp_fp_plugin.la --applabel --idle-timeout 3
--active-timeout 10 --ndpi --uniflow
The issue can be reproduced using this pcap file:
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=smtp.pcap
I was able to fix the issue with the following change:
########################################################
diff -urN yaf-2.12.1/src/applabel/hooks/dpacketplugin.c
yaf-2.12.1-patched/src/applabel/hooks/dpacketplugin.c
--- yaf-2.12.1/src/applabel/hooks/dpacketplugin.c 2020-12-09
19:37:17.000000000 +0100
+++ yaf-2.12.1-patched/src/applabel/hooks/dpacketplugin.c 2021-09-07
12:48:51.558360279 +0200
@@ -2921,6 +2921,10 @@
rec->smtpSize = 0;
rec->smtpStartTLS = 0;
+ if (!flow->rval.payload) {
+ totalcap = fwdcap;
+ }
+
/* Establish message bounds */
for ( ; count < totalcap; ++count) {
if(count < fwdcap) {
########################################################
Am I doing something wrong or there really is a bug?
Is the fix fine? What would you recommend?
Best regards,
Lukasz Rzasik
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list