[Snort-devel] SIGSEGV in spp_defrag

Achim Gsell a at ...384...
Fri Apr 20 05:05:21 EDT 2001


Hi,

The following patch fixes a bug in the defragment preprocessor (all versions 
up to cvs version of April 19th):

--- snort-20010419/snort/spp_defrag.c   Tue Jan  2 09:06:01 2001
+++ snort-20010419.patched/snort/spp_defrag.c   Fri Apr 20 10:19:37 2001
@@ -933,9 +933,9 @@
                     fflush(stderr);
                     mem_freed += freetemp->caplen + overhead + 20;
 #endif
+                    froot = fragdelete(froot->key, froot);
                     fragmemuse -= freetemp->caplen + overhead + 20;
                     free(freetemp);
-                    froot = fragdelete(froot->key, froot);
                     fragsweep--;
                     pc.frag_timeout++;
                 }

Without the patch the memory pointed to by "freetemp" is referenced in 
"fragdelete(..)" after it is already released. This may work, if the memory 
isn't already released to the OS.
I test it on Linux 2.2.17 and Linux 2.4.3. With the old kernel the unpatched 
binary is running fine, but it crashes with a SIGSEGV running on the same 
system with Linux 2.4.3.

Achim





More information about the Snort-devel mailing list