[Snort-devel] SIGBUS in SubSlide (ubi_BinTree.c)

Andrew Houghton aah at ...404...
Mon Aug 27 10:37:04 EDT 2001


Version:  Snort from CVS as of Aug 25, 7:44 PM (PST)
   Arch:  x86 (Intel PIII, if it matters)
     OS:  FreeBSD 4.4-PRERELEASE (cvsup from Aug. 24)
  Rules:  stock ruleset, subbed unidecode preprocessor for
          http_decode, using alert_syslog for alerts and database
          output for log. No other changes to snort.conf at all.
Startup:  /usr/local/bin/snort -D -q -c /usr/local/etc/snort.conf
Errors :  none

Snort chugged happily for ~5 hours, then core dumped.  This is reproducible
in the sense that I had the exact same SIGBUS in the exact same place two
days ago, then recompiled with debugging symbols so the core would mean
something.  The only questionable thing about the box is it's acting as a
bridged firewall, with options 'BRIDGE' and 'IPFIREWALL' in the kernel.
Bridging works fine, the firewall is open, when I add a rule to the firewall
it works fine.

Backtrace:

(gdb) bt
#0  0x808942b in SubSlide (P=0xfc45890c, whichway=0) at ubi_BinTree.c:394
#1  0x808948b in Neighbor (P=0x808ac2c, whichway=2) at ubi_BinTree.c:419
#2  0x8089a64 in ubi_btNext (P=0x808ac2c) at ubi_BinTree.c:879
#3  0x808e8d9 in PruneSessionCache (thetime=998916250, mustdie=0) at
spp_stream4.c:2436
#4  0x808c726 in ReassembleStream4 (p=0xbfbff618) at spp_stream4.c:1294
#5  0x805a9a8 in Preprocess (p=0xbfbff618) at rules.c:3426
#6  0x804b6fb in ProcessPacket (user=0x0, pkthdr=0x80e4000, pkt=0x80e4012
"") at snort.c:534
#7  0x280dc6b9 in pcap_read () from /usr/lib/libpcap.so.2
#8  0x280dc32f in pcap_loop () from /usr/lib/libpcap.so.2
#9  0x804d05a in InterfaceThread (arg=0x0) at snort.c:1568
#10 0x804b598 in main (argc=5, argv=0xbfbffbb0) at snort.c:467
#11 0x804ade1 in _start ()

Let me know if you need more info,

Andrew





More information about the Snort-devel mailing list