[Snort-devel] Re: checksum seg fault

Christopher Cramer cec at ...56...
Tue Nov 14 11:26:40 EST 2000


I think that this is an issue with DecodeIP.  It seems that we aren't
doing enough bullet proofing regarding a possibly short packet.  I think
that what is happening is the following:

DecodeIP receives a packet that is 28 bytes in length.  This is longer
than the check to see if we have a greater length than an IP header b/c
the min IP header is 20 bytes.  The problem seems to be that when we get
to DecodeUDP, the packet is 4294967293 bytes in length.  My guess is that
there are IP options (or errors) making the specified packet header longer
than 28 bytes.

I think the IP length check should verify that the packet length is longer
than hlen = p->iph->ip_hlen << 2;  rather than a flat 20 bytes.  

Anyway, in DecodeUDP, the checksum routing is told that we have 4294967293
bytes to check and tries to do so.  Of course this kills us.  

Unless anyone else is jumping at the opportunity, I'll probably start
going through the Decode routines and try to do some more error checks.


On Mon, 13 Nov 2000, Joe McAlerney wrote:

> Hello again Chris,
> I hate to be the barer of bad news again, but it seems there is a
> problem with the checksum code.  I have a number of core files, and all
> of them point to line 63 of checksum.c:
> # gdb snort /var/log/snort/snort.core
> GNU gdb 4.16.1
> Copyright 1996 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-unknown-openbsd2.6"...
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/libexec/ld.so...done.
> Reading symbols from /usr/local/lib/libssl.so.2.2...done.
> Reading symbols from /usr/local/lib/libcrypto.so.2.2...done.
> Reading symbols from /usr/lib/libc.so.23.1...done.
> #0  0x1fc53 in checksum (b1=0xdfbfd2b4, len1=12, b2=0x9e4000,
> len2=4294967293)
>     at checksum.c:63
> 63                  sum += *((u_int16_t*)b2 ++);
> (gdb) bt
> #0  0x1fc53 in checksum (b1=0xdfbfd2b4, len1=12, b2=0x9e4000,
> len2=4294967293)
>     at checksum.c:63
> #1  0x96ef in DecodeUDP (pkt=0x422ac "\004\001i\207", len=4294967293, 
>     p=0xdfbfd334) at decode.c:918
> #2  0x94ba in DecodeIP (pkt=0x42298 "E", len=28, p=0xdfbfd334) at
> decode.c:720
> #3  0x98c6 in DecodeICMP (pkt=0x42290 "\003\003\203�", len=36,
> p=0xdfbfd7f4)
>     at decode.c:1042
> #4  0x94da in DecodeIP (pkt=0x4227c "E", len=56, p=0xdfbfd7f4) at
> decode.c:726
> #5  0x8d11 in DecodeEthPkt (p=0xdfbfd7f4, pkthdr=0x4225c, pkt=0x4226e
> "")
>     at decode.c:80
> #6  0x1eb9 in ProcessPacket (user=0x0, pkthdr=0x4225c, pkt=0x4226e "")
>     at snort.c:416
> #7  0x1fe1c in pcap_read ()
> #8  0x20318 in pcap_loop ()
> #9  0x3d29 in InterfaceThread (arg=0x0) at snort.c:1250
> #10 0x1e8c in main (argc=9, argv=0xdfbfdd34) at snort.c:399
> I noticed that the last log was a Large UDP packet.  Let me know if
> there is anything I can do to help.
> Thanks,
> -Joe M.
> -- 
> +--                            --+
> | Joe McAlerney, Silicon Defense |
> | http://www.silicondefense.com/ |
> +--                            --+

More information about the Snort-devel mailing list