[Snort-devel] Snort 1.8beta3 (Build 12) hangs - more debug info...

william.c.gercken at ...350... william.c.gercken at ...350...
Wed Apr 25 17:15:36 EDT 2001


First, please ignore the misguided notes in my last message...

I have narrowed the problem down to an infite loop which is occurring in
the if(telneg_present) block.
The sequence is: 160->163 -> 178 ->181 -> 196->160 (i step through the code
in the debugger below).
It appears that the address for read_ptr at line 183 is not incrementing
(see below).

Thanks.
-bill
==

    150     if(telneg_present)
    151     {
    152         /* setup for overwriting the negotaiation strings with
    153          * the follow-on data
    154          */
    155         wr+ite_ptr = read_ptr;
    156
    157         /* walk thru the remainder of the packet */
    158         while(read_ptr < end)
    159         {
    160             DebugMessage(DEBUG_PLUGIN, "Checking: %c\n",
*read_ptr);
    161
    162             /* if the following byte isn't a subnegotiation
initialization */
    163             if(*read_ptr == (char) TNC_IAC && *(read_ptr + 1) !
= (char) TNC_SB)
    164             {
    165                 /* NOPs are two bytes long */
    166                 if(*(read_ptr+1) == (char) TNC_NOP)
    167                 {
    168                     read_ptr += 2;
    169                     p->dsize -= 2;
    170                 }
    171                 else
    172                 {
    173                     /* move the read ptr up 3 bytes */
    174                     read_ptr += TNC_STD_LENGTH;
    175                     p->dsize -= TNC_STD_LENGTH;
    176                 }
    177             } /* check for subnegotiation */
    178             else if(*(read_ptr+1) == (char) TNC_SB)
    179             {
    180                 /* move to the end of the subneg */
    181                 while((*read_ptr != (char) TNC_SE) && (read_ptr <
end))
    182                 {
    183                     read_ptr++;
    184                     p->dsize--;
    185                 }
    186             }
    187             else
    188             {
    189                 DebugMessage(DEBUG_PLUGIN, "overwriting %2X(%c)
with %2X (%c)\n",
    190                             (char)(*write_ptr&0xFF), *write_ptr,
    191                             (char)(*read_ptr & 0xFF), *read_ptr);
    192
    193                 /* overwrite the negotiation bytes with the
follow-on bytes */
    194                 *write_ptr++ = *read_ptr++;
    195             }
    196         }
    197
    198         DebugMessage(DEBUG_PLUGIN,
    199                      "Converted buffer after telnet normalization:
\n");
    200 #ifdef DEBUG
    201         PrintNetData(stdout, p->data, p->dsize);
    202 #endif
    203     }


Another trace with steps:

#0  PreprocFunction (p=0xbffff440) at spp_telnet_negotiation.c:196
#1  0x8055202 in Preprocess (p=0xbffff440) at rules.c:3260
#2  0x804b17f in ProcessPacket (user=0x0, pkthdr=0xbffff8f0, pkt=0x80a63da
"")
    at snort.c:500
#3  0x807197e in pcap_read ()
#4  0x8071f4f in pcap_loop ()
#5  0x804c3e3 in InterfaceThread (arg=0x0) at snort.c:1376
#6  0x804b04f in main (argc=10, argv=0xbffffa94) at snort.c:434
#7  0x40158b65 in __libc_start_main (main=0x804aa0c <main>, argc=10,
    ubp_av=0xbffffa94, init=0x8049f2c <_init>, fini=0x8078e3c <_fini>,
    rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffffa8c)
    at ../sysdeps/generic/libc-start.c:111
(gdb) s
160                 DebugMessage(DEBUG_PLUGIN, "Checking: %c\n",
*read_ptr);
(gdb) n
163                 if(*read_ptr == (char) TNC_IAC && *(read_ptr + 1) !
= (char)
TNC_SB)
(gdb) s
178                 else if(*(read_ptr+1) == (char) TNC_SB)
(gdb) s
181                     while((*read_ptr != (char) TNC_SE) && (read_ptr <
end))
(gdb) s
196             }
(gdb) s
160                 DebugMessage(DEBUG_PLUGIN, "Checking: %c\n",
*read_ptr);
(gdb)
(gdb) print *p
$1 = {pkth = 0xbffff8f0, pkt = 0x80a63da "", fddihdr = 0x0, fddisaps = 0x0,
  fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
  trhmr = 0x0, sllh = 0x0, eh = 0x80a63da, vh = 0x0, ehllc = 0x0,
  ehllcother = 0x0, ah = 0x0, iph = 0x80a63e8, orig_iph = 0x0,
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x80a63fc,
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
  data = 0x80a6410 "ÜÛñþéMÜ\002\\@\205*\216Y$\03601\201\212\222èAau\236\"
~\217æ\
232å\200©$ÙËé\222k\004¾Y«t)'ð6\004\205\234ªc;\222g\021\177?\b\034¶
¿u\225úm\020\2
37¤·µWE\022½ú\023v:°ë\017S&\225\236¦Á\035^#\234v2\214£+\204Ta\0029ûnÖL`Ë^¥\032.Ü
ç=\234\eõ\fn\eñ»| »¼>ø:\222cÔv\031«!k\ea}\203\017ej\004\023n\006\017¡iQ]
\005Æ\03
2\030\016\006Á3\212\2202á;&\204#ë\200ãÉ6Ê&w¯%
\f6Ãqn\230\204äÂ?PýD\2001\002\e\211
"..., dsize = 1124, frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000',
  df = 1 '\001', rf = 0 '\000', sp = 53763, dp = 21, orig_sp = 0, orig_dp
= 0,
  caplen = 0, URI = {uri = 0x0, length = 0}, ip_options = {{code = 0 '
\000',
      len = 0, data = 0x0} <repeats 40 times>}, ip_option_count = 0,
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', wire_packet = 0 '
\000'}
(gdb) print read_ptr
$4 = 0x80a66c7 "ðúÞ½%tÀ\205MÊÛ²\n3'½« iúk}f&\032»;
~\236éf%ËvZ\236ÖÙE,FYæ\036X\20
7\025ájÖv\001ùs`Õ+\013\237«ÿû\222t÷"
(gdb) print end
$5 = 0x80a6960
"qKStkSwMRKyecrLgEAmq5lBNJP6AgRdykzaViFPEVkZdIiGfUuYfa07yCSM2Ul+4
sb3D\r\nSNCpRHQqkcI435MalZG+5nhftfIlki"
(gdb) s
0x8070b1f in DebugMessage (dbg=4, fmt=0x8086e4c "Checking: %c\n") at
debug.h:57
57      static __inline__ void DebugMessage(int dbg,char *fmt, ...) {}
(gdb) s
PreprocFunction (p=0xbffff440) at spp_telnet_negotiation.c:163
163                 if(*read_ptr == (char) TNC_IAC && *(read_ptr + 1) !
= (char)
TNC_SB)
(gdb) s
178                 else if(*(read_ptr+1) == (char) TNC_SB)
(gdb) s
181                     while((*read_ptr != (char) TNC_SE) && (read_ptr <
end))
(gdb) s
196             }
(gdb) s
160                 DebugMessage(DEBUG_PLUGIN, "Checking: %c\n",
*read_ptr);
(gdb) print read_ptr
$6 = 0x80a66c7 "ðúÞ½%tÀ\205MÊÛ²\n3'½« iúk}f&\032»;
~\236éf%ËvZ\236ÖÙE,FYæ\036X\20
7\025ájÖv\001ùs`Õ+\013\237«ÿû\222t÷"

Another pass:

(gdb) s
0x8070b1f in DebugMessage (dbg=4, fmt=0x8086e4c "Checking: %c\n") at
debug.h:57
57      static __inline__ void DebugMessage(int dbg,char *fmt, ...) {}
(gdb) n
PreprocFunction (p=0xbffff440) at spp_telnet_negotiation.c:163
163                 if(*read_ptr == (char) TNC_IAC && *(read_ptr + 1) !
= (char)
TNC_SB)
(gdb) print (*read_ptr == 0xFF && *(read_ptr + 1) != 0xFA )
$7 = 0
(gdb) s
178                 else if(*(read_ptr+1) == (char) TNC_SB)
(gdb) print (*(read_ptr+1) == 0xFA )
$8 = 0
(gdb) s
181                     while((*read_ptr != (char) TNC_SE) && (read_ptr <
end))
(gdb) print ((*read_ptr != 0xF0) && (read_ptr < end))
$9 = 1
(gdb) s
196             }
(gdb) s
160                 DebugMessage(DEBUG_PLUGIN, "Checking: %c\n",
*read_ptr);
(gdb) print read_ptr
$10 = 0x80a66c7 "ðúÞ½%tÀ\205MÊÛ²\n3'½« iúk}f&\032»;
~\236éf%ËvZ\236ÖÙE,FYæ\036X\2
07\025ájÖv\001ùs`Õ+\013\237«ÿû\222t÷"
(gdb)








More information about the Snort-devel mailing list