[Snort-devel] crash in signal handler w/ spo_unified

Chris Green cmg at ...81...
Mon Aug 27 12:28:30 EDT 2001


Current CVS or release 1.8.1:

output alert_unified: snort.alert  
output log_unified: snort.log

let snort run for any length of time interactively

^C to interrupt

#0  0x40265801 in __libc_free (mem=0x80a3cc8) at malloc.c:3043
3043	malloc.c: No such file or directory.
(gdb) bt
#0  0x40265801 in __libc_free (mem=0x80a3cc8) at malloc.c:3043
#1  0x804d569 in CleanExit (sig=2) at ../snort/snort.c:2071
#2  0x40345329 in pthread_sighandler (signo=2, ctx={gs = 0, __gsh = 0, fs = 0, 
      __fsh = 0, es = 43, __esh = 0, ds = 43, __dsh = 0, edi = 134820792, 
      esi = 3221221576, ebp = 3221221376, esp = 3221221352, ebx = 137780992, 
      edx = 137774856, ecx = 0, eax = 0, trapno = 0, err = 0, eip = 134573205, 
      cs = 35, __csh = 0, eflags = 663, esp_at_signal = 3221221352, ss = 43, 
      __ssh = 0, fpstate = 0x0, oldmask = 0, cr2 = 0}) at signals.c:97
#3  <signal handler called>
#4  0x8056c95 in EvalHeader (rtn_idx=0x80dab40, p=0xbffff0c8)
    at ../snort/rules.c:3736
#5  0x8056c58 in EvalPacket (List=0x80933b8, mode=2, p=0xbffff0c8)
    at ../snort/rules.c:3696
#6  0x8056ad8 in Detect (p=0xbffff0c8) at ../snort/rules.c:3589
#7  0x8056907 in Preprocess (p=0xbffff0c8) at ../snort/rules.c:3432
#8  0x804bac7 in ProcessPacket (user=0x0, pkthdr=0xbffff588, pkt=0x80c6a80 "")
    at ../snort/snort.c:534
#9  0x40040207 in pcap_read_packet () from /usr/lib/libpcap.so.0
#10 0x4004124f in pcap_loop () from /usr/lib/libpcap.so.0
#11 0x804cf88 in InterfaceThread (arg=0x0) at ../snort/snort.c:1568
#12 0x804b999 in main (argc=12, argv=0xbffff73c) at ../snort/snort.c:467
#13 0x40207b5c in __libc_start_main (main=0x804b30c <main>, argc=12, 
    ubp_av=0xbffff73c, init=0x804a610 <_init>, fini=0x8078edc <_fini>, 
    rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffff734)
    at ../sysdeps/generic/libc-start.c:129


(gdb) p 1
$2 = 1
(gdb) p data
$3 = (UnifiedData *) 0x80a3d28
(gdb) p *data
$4 = {log_filename = 0x80d8da0 "./log2/snort.log.998929299", 
  alert_filename = 0x80d8b08 "./log2/snort.alert.998929299", log = 0x80d8c30, 
  alert = 0x80d8998, log_written = 0}


Actually, it looks like spo_unified's CleanExit functions are calling

free on compiler allocated memory &UnifiedInfo

(gdb) p data
$1 = (UnifiedData *) 0x80a3d28

(gdb) p &UnifiedInfo
$3 = (UnifiedData *) 0x80a3d28

Correct fix is to comment out the free(data) in the restart/clean
functions.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: unified.patch
Type: text/x-patch
Size: 803 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010827/68d2e490/attachment.bin>
-------------- next part --------------

-- 
Chris Green <cmg at ...81...>
Let not the sands of time get in your lunch.


More information about the Snort-devel mailing list