[Snort-devel] Version 1.7-beta3 segmentation fault in checksum.c

Christopher Cramer cec at ...56...
Fri Nov 17 23:33:53 EST 2000


Philip,

This is a known problem that actually resides in the IP decoding
engine.  Certain types of corrupt packets will basically cause snort to
believe that the packet length is ~2^32.  When the checksum routines try
to parse this they eventually access a memory address not owned by snort.   
I was going to try to fix the DecodeIP routine this week, but got
sidetracked.

The fix should be available soon, maybe by Monday.

-Chris

----------------------------------------------------------------------
Dr. Christopher E. Cramer
Assistant Research Professor
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...56...


On Fri, 17 Nov 2000, C. Philip Wood wrote:

> 
> Stop the pressess, your snort may die as did mine:
> 
> gdb bin/snort core
> GNU gdb 19990928
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i686-pc-linux-gnu"...
> 
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /lib/libnsl.so.1...done.
> Reading symbols from /lib/libm.so.6...done.
> Reading symbols from /usr/lib/libmysqlclient.so.6...done.
> Reading symbols from /lib/libc.so.6...done.
> Reading symbols from /usr/lib/libz.so.1...done.
> Reading symbols from /lib/libcrypt.so.1...done.
> Reading symbols from /lib/ld-linux.so.2...done.
> Reading symbols from /lib/libnss_db.so.2...done.
> Reading symbols from /lib/libdb.so.3...done.
> Reading symbols from /lib/libnss_files.so.2...done.
> Reading symbols from /lib/libnss_dns.so.2...done.
> Reading symbols from /lib/libresolv.so.2...done.
> #0  0x80627f6 in checksum (b1=0xbfffec20, len1=12, b2=0x40352000, 
> ---Type <return> to continue, or q <return> to quit---
>     len2=4294967292) at checksum.c:63
> 63                  sum += *((u_int16_t*)b2 ++);
> (gdb) where
> #0  0x80627f6 in checksum (b1=0xbfffec20, len1=12, b2=0x40352000, 
>     len2=4294967292) at checksum.c:63
> #1  0x804feea in DecodeUDP (pkt=0x402576c0 "\006 \004\230", len=4294967292, 
>     p=0xbfffeca0) at decode.c:918
> #2  0x804fd26 in DecodeIP (pkt=0x402576ac "E", len=28, p=0xbfffeca0)
>     at decode.c:720
> #3  0x8050029 in DecodeICMP (pkt=0x402576a4 "\003\003ñÈ", len=36, p=0xbffff160)
>     at decode.c:1042
> #4  0x804fd46 in DecodeIP (pkt=0x40257690 "E", len=56, p=0xbffff160)
>     at decode.c:726
> #5  0x804fb8e in DecodeFDDIPkt (p=0xbffff160, pkthdr=0xbffff604, 
>     pkt=0x4025767b "P") at decode.c:390
> #6  0x804aa49 in ProcessPacket (user=0x0, pkthdr=0xbffff604, 
>     pkt=0x4025767b "P") at snort.c:466
> #7  0x8062b98 in packet_ring_recv ()
> #8  0x8062edf in pcap_read ()
> #9  0x8063b63 in pcap_loop ()
> #10 0x804cb55 in InterfaceThread (arg=0x0) at snort.c:1359
> #11 0x804aa18 in main (argc=16, argv=0xbffff7f4) at snort.c:449
> 
> pkt is the following in DecodeIP at decode.c:720
> 0x4028e6ac:     0x10000045
> 0x4028e6b0:     0x00003bda
> 0x4028e6b4:     0x7c171173
> 0x4028e6b8:     0x1300eb94
> 0x4028e6bc:     0x030110c0
> 0x4028e6c0:     0x9804f408
> 0x4028e6c4:     0x00001000
> 0x4028e6c8:     0x1f041300
> 0x4028e6cc:     0x23222120
> 0x4028e6d0:     0x27262524
> 0x4028e6d4:     0x2b2a2928
> 0x4028e6d8:     0x2f2e2d2c
> 0x4028e6dc:     0x33323130
> 0x4028e6e0:     0x37363534
> 0x4028e6e4:     0x00000000
> 0x4028e6e8:     0x00000000
> 0x4028e6ec:     0x00000000
> 0x4028e6f0:     0x00000000
> 0x4028e6f4:     0x00000000
> 0x4028e6f8:     0x00000000
> 0x4028e6fc:     0x00000000
> 0x4028e700:     0x00000000
> 0x4028e704:     0x00000000
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel
> 




More information about the Snort-devel mailing list