Unable attach suricata.yaml due to - “New uses are not allowed to add attachments”
suricata --build-info
This is Suricata version 7.0.6 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_2
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 14.1.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48
Command
suricata -c suricata.yaml -k none -q0:7 --pidfile /var/suricata/suricata.pid
However, I found the root cause, and a potential fix
During Init, the following sequence led to the crash ReceiveNFQThreadInit() → NFQCallBack() → TmThreadsSlotProcessPkt() → TmqhOutputPacketpool() → CaptureStatsUpdate()
static inline TmEcode TmThreadsSlotProcessPkt(ThreadVars *tv, TmSlot *s, Packet p)
{
if (s == NULL) {
tv->tmqh_out(tv, p); ← Call to TmqhOutputPacketpool(), as (TmSlot) was NULL
return TM_ECODE_OK;
}
…
}
But, TmqhOutputPacketpool() made an unconditional call to CaptureStatsUpdate(), while (ThreadVars *t) was not yet initialised (ReceiveNFQThreadInit was still in progress)
(gdb) p tv->perf_private_ctx
$6 = {
head = 0x0,
size = 0,
initialized = 0
}
$3 = (ThreadVars *) 0x6988280
(gdb) p *tv
$4 = {
t = 140691367778048,
tm_func = 0x56e3d0 ,
name = “W-NFQ#3\000\000\000\000\000\000\000\000”,
…
flags_sc_atomic__ = 5,
flags = 5 → 101 → Bit(0) and Bit(2) are set
THV_USE and THV_PAUSE are set
THV_INIT_DONE is not set
CaptureStatsUpdate() tried to use tv->perf_private_ctx, which led to the crash
Potential fix:
Avoid calling CaptureStatsUpdate() when the thread in not Initialised
if (t != NULL && TmThreadsCheckFlag(t, THV_INIT_DONE)) { ← Check for thread Init flag
CaptureStatsUpdate(t, p);
}