[Snort-devel] Coredump in TCP Stream Reassembly

Erich Meier Erich.Meier at ...2...
Tue Dec 5 02:56:32 EST 2000


On Mon, Dec 04, 2000 at 11:40:55AM -0500, Christopher Cramer wrote:
> 
> Does this happen immediately after starting snort, or just periodically?

Periodically after a few minutes of operation.

> I don't think this is an alignment problem since we are working here with
> u_char buffers.  It seems to be an issue with not having enough data in
> the dynamically allocated buffers.  From gdb, can you "print *sptr" and
> send me the results?

Sure. (That should also satisfy Fyodor's request for the value of s_buf.)

# gdb /local/snort/bin/snort ./core
Program terminated with signal 11, Segmentation fault.
#0  0x2ed84 in TcpStreamPacket (p=0xeffff7b8) at spp_tcp_stream.c:355
355                     if (sptr->s_buf[i-1] == 0xa || sptr->s_buf[i-1] == 0xd)
(gdb) bt
#0  0x2ed84 in TcpStreamPacket (p=0xeffff7b8) at spp_tcp_stream.c:355
#1  0x216c0 in Preprocess (p=0xeffff7b8) at rules.c:2958
#2  0x17f84 in ProcessPacket (user=0x0, pkthdr=0xeffffc68, pkt=0x699a6 "")
    at snort.c:455
#3  0x3047c in pcap_read ()
#4  0x31190 in pcap_loop ()
#5  0x18f8c in InterfaceThread (arg=0x61028) at snort.c:1252
#6  0x17e38 in main (argc=0, argv=0xeffffe54) at snort.c:392
(gdb) print *sptr
$1 = {sip = 3350555415, cip = 2210144856, sp = 80, cp = 47706,
  client_status = 4, server_status = 4, c_first_seq = 949934783,
  s_first_seq = 2058672871, c_fin_seq = 0, s_fin_seq = 0,
  c_last_acked = 949934783, s_last_acked = 2058672871, s_last_byte = 0,
  c_last_byte = 0, c_buf_start = 949934689, s_buf_start = 2058672871,
  c_buf = 0x3d6868 "GET /ids/vision.conf HTTP/1.0\r\nUser-Agent: Wget/1.5.3\r\nHost: whitehats.com:80\r\nAccept: */*\r\n\r\nÖT", c_buf_allocd = 1 '\001',
  c_buf_siz = 81919, c_inbuf = 0, s_buf = 0x0, s_buf_allocd = 0 '\000',
  s_buf_siz = 0, s_inbuf = 0, next = 0x55efe8, timestamp = 975978061}
(gdb)

Erich



More information about the Snort-devel mailing list