[Snort-devel] SIGSEGV in spp_defrag

Fyodor fygrave at ...1...
Fri Apr 20 05:46:09 EDT 2001


On Fri, Apr 20, 2001 at 11:05:21AM +0200, Achim Gsell wrote:
> Hi,
> 
> The following patch fixes a bug in the defragment preprocessor (all versions 
> up to cvs version of April 19th):
> 
> --- snort-20010419/snort/spp_defrag.c   Tue Jan  2 09:06:01 2001
> +++ snort-20010419.patched/snort/spp_defrag.c   Fri Apr 20 10:19:37 2001
> @@ -933,9 +933,9 @@
>                      fflush(stderr);
>                      mem_freed += freetemp->caplen + overhead + 20;
>  #endif
> +                    froot = fragdelete(froot->key, froot);
>                      fragmemuse -= freetemp->caplen + overhead + 20;
>                      free(freetemp);
> -                    froot = fragdelete(froot->key, froot);
>                      fragsweep--;
>                      pc.frag_timeout++;
>                  }
> 
> Without the patch the memory pointed to by "freetemp" is referenced in 
> "fragdelete(..)" after it is already released. This may work, if the memory 
> isn't already released to the OS.
> I test it on Linux 2.2.17 and Linux 2.4.3. With the old kernel the unpatched 
> binary is running fine, but it crashes with a SIGSEGV running on the same 
> system with Linux 2.4.3.
> 

Err.. I am failing to locate where it actually being referenced in fragdelete
or its subcalled functions, would you mind to send a stack backtrace to have a look? :->

Anyway if the bug is really there, the similar pattern could be seen in some other places
of spp_defrag.c so the full patch would be something like this. Lets confirm that there's
really a problem and I shall commit it :)


Index: spp_defrag.c
===================================================================
RCS file: /cvsroot/snort/snort/spp_defrag.c,v
retrieving revision 1.10
diff -u -r1.10 spp_defrag.c
--- spp_defrag.c	2001/01/02 08:06:01	1.10
+++ spp_defrag.c	2001/04/20 09:41:38
@@ -730,10 +730,11 @@
                 /* this fragment was an element of a rebuilt packet */
                 pc.rebuild_element++;
                 fragmemuse -= (((struct pcap_pkthdr *)np)->caplen + overhead + 20);
-                free(np);
             }
 
             froot = fragdelete(froot->key, froot);
+            if(np)
+                free(np);
         }
     }
 
@@ -934,8 +935,8 @@
                     mem_freed += freetemp->caplen + overhead + 20;
 #endif
                     fragmemuse -= freetemp->caplen + overhead + 20;
-                    free(freetemp);
                     froot = fragdelete(froot->key, froot);
+                    free(freetemp);
                     fragsweep--;
                     pc.frag_timeout++;
                 }
@@ -966,8 +967,8 @@
                         mem_freed += freetemp->caplen + overhead + 20;
 #endif
                         fragmemuse -= freetemp->caplen + overhead + 20;
-                        free(freetemp);
                         froot = fragdelete(froot->key, froot);
+                        free(freetemp);
                         fragsweep--;
                         pc.frag_incomp++;
                     }
@@ -1025,8 +1026,8 @@
                 treedump(froot);
 #endif
                 fragmemuse -= freetemp->caplen + overhead + 20;
-                free(freetemp);
                 froot = fragdelete(froot->key, froot);
+                free(freetemp);
                 fragsweep--;
                 pc.frag_timeout++;
             }





More information about the Snort-devel mailing list