It was reported [1] that certain requests can cause a NULL pointer dereference in libhtp, leading to denial of service of Suricata. The chain of events is following: - failure in zlib setup (Z_STREAM_ERROR) leads to tx->connp->out_decompressor == NULL and htp_connp_res_data returning HTP_STREAM_ERROR - Suricata then still sometimes calls htp_connp_close() - htp_connp_close() resets status' and unconditionally derefs tx->connp->out_decompressor - as this is NULL, we get a segv The calling of htp_connp_close may be erroneous if the htp state is in error. Upstream commit that resolves this: https://github.com/OISF/libhtp/pull/82/files [1]: https://redmine.openinfosecfoundation.org/issues/1272
Created libhtp tracking bugs for this issue: Affects: fedora-all [bug 1180488] Affects: epel-all [bug 1180489]
Isn't that a duplicate of 1173605 ?
(In reply to Mathieu Bridon from comment #2) > Isn't that a duplicate of 1173605 ? Ooops, you're right. Closing this one. *** This bug has been marked as a duplicate of bug 1173605 ***