[Snort-devel] Coredump in TCP Stream Reassembly

Christopher Cramer cec at ...56...
Tue Dec 5 16:14:59 EST 2000


Erich,

I just added some new checks to the dynamically allocated buffers in the
TCP Stream Reassembly code.  It should be in the CVS now.  If you can try
this out and see what happens, I would appreciate it.

-Chris

p.s. to snort-devel, I also added some packet counting statistics for tcp
stream reassembly to snort.h, snort.c and spp_tcp_stream.c



On Tue, 5 Dec 2000, Erich Meier wrote:

> On Mon, Dec 04, 2000 at 11:40:55AM -0500, Christopher Cramer wrote:
> > 
> > Does this happen immediately after starting snort, or just periodically?
> 
> Periodically after a few minutes of operation.
> 
> > I don't think this is an alignment problem since we are working here with
> > u_char buffers.  It seems to be an issue with not having enough data in
> > the dynamically allocated buffers.  From gdb, can you "print *sptr" and
> > send me the results?
> 
> Sure. (That should also satisfy Fyodor's request for the value of s_buf.)
> 
> # gdb /local/snort/bin/snort ./core
> Program terminated with signal 11, Segmentation fault.
> #0  0x2ed84 in TcpStreamPacket (p=0xeffff7b8) at spp_tcp_stream.c:355
> 355                     if (sptr->s_buf[i-1] == 0xa || sptr->s_buf[i-1] == 0xd)
> (gdb) bt
> #0  0x2ed84 in TcpStreamPacket (p=0xeffff7b8) at spp_tcp_stream.c:355
> #1  0x216c0 in Preprocess (p=0xeffff7b8) at rules.c:2958
> #2  0x17f84 in ProcessPacket (user=0x0, pkthdr=0xeffffc68, pkt=0x699a6 "")
>     at snort.c:455
> #3  0x3047c in pcap_read ()
> #4  0x31190 in pcap_loop ()
> #5  0x18f8c in InterfaceThread (arg=0x61028) at snort.c:1252
> #6  0x17e38 in main (argc=0, argv=0xeffffe54) at snort.c:392
> (gdb) print *sptr
> $1 = {sip = 3350555415, cip = 2210144856, sp = 80, cp = 47706,
>   client_status = 4, server_status = 4, c_first_seq = 949934783,
>   s_first_seq = 2058672871, c_fin_seq = 0, s_fin_seq = 0,
>   c_last_acked = 949934783, s_last_acked = 2058672871, s_last_byte = 0,
>   c_last_byte = 0, c_buf_start = 949934689, s_buf_start = 2058672871,
>   c_buf = 0x3d6868 "GET /ids/vision.conf HTTP/1.0\r\nUser-Agent: Wget/1.5.3\r\nHost: whitehats.com:80\r\nAccept: */*\r\n\r\n�T", c_buf_allocd = 1 '\001',
>   c_buf_siz = 81919, c_inbuf = 0, s_buf = 0x0, s_buf_allocd = 0 '\000',
>   s_buf_siz = 0, s_inbuf = 0, next = 0x55efe8, timestamp = 975978061}
> (gdb)
> 
> Erich
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel
> 




More information about the Snort-devel mailing list