log-pcap: fix segfault on lz4 compressed pcaps

[oxagast]

Moved a file existence check to fix segfault if Suricata tries to write to an lz4 compressed .pcap file if you don't have permission to write to it. Also removed the previous code that would log this elsewhere, so you don't get double log entries.

https://redmine.openinfosecfoundation.org/issues/5022

[codecov]

Codecov Report

Merging #6875 (30960b2) into master (f8e1430) will decrease coverage by 0.16%.
The diff coverage is n/a.

❗ Current head 30960b2 differs from pull request most recent head 4fa3b55. Consider uploading reports for the commit 4fa3b55 to get more accurate results

@@            Coverage Diff             @@
##           master    #6875      +/-   ##
==========================================
- Coverage   77.72%   77.56%   -0.17%     
==========================================
  Files         628      628              
  Lines      186493   186921     +428     
==========================================
+ Hits       144959   144992      +33     
- Misses      41534    41929     +395     

Flag	Coverage Δ
fuzzcorpus	57.72% <ø> (-0.67%)	⬇️
suricata-verify	53.54% <ø> (-0.54%)	⬇️
unittests	62.72% <ø> (-0.49%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[oxagast]

Fixed the formatting so checks don't fail.

[jufajardini]

Thanks for your interest in contributing to Suricata!

We would appreciate if you followed our code submission criteria :)
Especially:

• commit message formatting
• commit message and naming convention (so something like: log-pcap: fix segfault on lz4 compressed pcaps and then detail more in the commit body? )
• don't add unnecessary commits (if the formatting fix covers your code changes only, please squash them ;) )

Also, have you signed the Suricata Contribution Agreement?

[oxagast]

Hi,
Thanks for the tips. I've signed the contribution agreement, yes. I've also edited the title of the PR to reflect naming conventions. As for the second commit that was only edited formatting, I didn't think that it would allow a merge if the automated checks didn't pass. Now I'm not sure what you mean by squash the latest change with only formatting edits though, I didn't know there was a way to remove edits from the version tracker once they were committed and pushed. Is there a way to do that? Or do you just mean marge the two commits?

Edit: I think I figured out how to squash them with git merge master --squash.

[victorjulien]

See inline comments

[victorjulien]

I don't see a check for comp->file here, which suggests it might be already open and this would leak the previous descriptor. We're in the packet path here, so we would call this for each packet.

[victorjulien]

If comp->file is null here, I think it means we didn't properly error check something during setup. I think the issue should be handled during setup/initialization (or file rotation)

[victorjulien]

if removing output please just remove it instead of leaving it as a comment. It is fine to have a comment explaining why there is no error message here

[jufajardini]

Hi, Thanks for the tips. I've signed the contribution agreement, yes. I've also edited the title of the PR to reflect naming conventions. As for the second commit that was only edited formatting, I didn't think that it would allow a merge if the automated checks didn't pass. Now I'm not sure what you mean by squash the latest change with only formatting edits though, I didn't know there was a way to remove edits from the version tracker once they were committed and pushed. Is there a way to do that? Or do you just mean marge the two commits?

Edit: I think I figured out how to squash them with git merge master --squash.

Kudos! Now you can follow those with the next PR submission :) Can you also create a ticket on our redmine project, to go with that iteration?

[oxagast]

Probably correct to check if this directory is writeable on startup. I didn't happen to look, is everything else (that's working properly) also checked this way? I'm guessing that if the perms somhow got changed incorrectly while Suricata is running it would also fail that way, but the risk is much lower and the performance implications may not be worth doing it in the packet thread.
I have created a ticket on redmine with a backtrace.

[inashivb]

Probably correct to check if this directory is writeable on startup. I didn't happen to look, is everything else (that's working properly) also checked this way?

Sounds about right to me. Directory should exist and be writable if we are willing to write something in there.

[suricata-qa]

Warning: no commits in this PR have specified the following ticket(s):

• 5022 - https://redmine.openinfosecfoundation.org/issues/5022

Please update the commit(s) and submit a new PR.

[catenacyber]

@oxagast are you still working on this ?

[oxagast]

Sorry, I completely forgot about this. I'll have to take another look into it. Thanks for reminding me.

[oxagast]

So I just recompiled the latest version out of OSIF:master and it seems it is already fixed. Before Suricata would try to log the .lz4 compressed logs to a separate directory under the default logging dir. If that dir was not writable it would fault. However now it seem Suricata has changed where it is dropping the .lz4 logs, and is now putting them in the default (or user specified) logging directory, not in a sub-directory. So it seems to be fixed, either intentionally or unintentionally. I'll now close this issue.

Thanks!