[Snort-devel] Coredump in TCP Stream Reassembly

Christopher Cramer cec at ...56...
Tue Dec 5 08:47:35 EST 2000


Interesting.  It seems that somehow the dynamically allocated buffer for
s_buf isn't being dynamically allocated.  :)

This is odd since we should have been able to allocate space for s_buf by
this point in the code.

I'll look into this today.

-Chris


On Tue, 5 Dec 2000, Erich Meier wrote:

> On Mon, Dec 04, 2000 at 11:40:55AM -0500, Christopher Cramer wrote:
> > 
> > Does this happen immediately after starting snort, or just periodically?
> 
> Periodically after a few minutes of operation.
> 
> > I don't think this is an alignment problem since we are working here with
> > u_char buffers.  It seems to be an issue with not having enough data in
> > the dynamically allocated buffers.  From gdb, can you "print *sptr" and
> > send me the results?
> 
> Sure. (That should also satisfy Fyodor's request for the value of s_buf.)
> 
> # gdb /local/snort/bin/snort ./core
> Program terminated with signal 11, Segmentation fault.
> #0  0x2ed84 in TcpStreamPacket (p=0xeffff7b8) at spp_tcp_stream.c:355
> 355                     if (sptr->s_buf[i-1] == 0xa || sptr->s_buf[i-1] == 0xd)
> (gdb) bt
> #0  0x2ed84 in TcpStreamPacket (p=0xeffff7b8) at spp_tcp_stream.c:355
> #1  0x216c0 in Preprocess (p=0xeffff7b8) at rules.c:2958
> #2  0x17f84 in ProcessPacket (user=0x0, pkthdr=0xeffffc68, pkt=0x699a6 "")
>     at snort.c:455
> #3  0x3047c in pcap_read ()
> #4  0x31190 in pcap_loop ()
> #5  0x18f8c in InterfaceThread (arg=0x61028) at snort.c:1252
> #6  0x17e38 in main (argc=0, argv=0xeffffe54) at snort.c:392
> (gdb) print *sptr
> $1 = {sip = 3350555415, cip = 2210144856, sp = 80, cp = 47706,
>   client_status = 4, server_status = 4, c_first_seq = 949934783,
>   s_first_seq = 2058672871, c_fin_seq = 0, s_fin_seq = 0,
>   c_last_acked = 949934783, s_last_acked = 2058672871, s_last_byte = 0,
>   c_last_byte = 0, c_buf_start = 949934689, s_buf_start = 2058672871,
>   c_buf = 0x3d6868 "GET /ids/vision.conf HTTP/1.0\r\nUser-Agent: Wget/1.5.3\r\nHost: whitehats.com:80\r\nAccept: */*\r\n\r\n�T", c_buf_allocd = 1 '\001',
>   c_buf_siz = 81919, c_inbuf = 0, s_buf = 0x0, s_buf_allocd = 0 '\000',
>   s_buf_siz = 0, s_inbuf = 0, next = 0x55efe8, timestamp = 975978061}
> (gdb)
> 
> Erich
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel
> 




More information about the Snort-devel mailing list