[Snort-devel] Re: Oh oh... I just got my first core dump on 1.8.1!

Martin Roesch roesch at ...402...
Thu Aug 30 20:21:47 EDT 2001


Can you give me a dump of p, that stream_pkt is really huge, I wonder if
there was a reassembled frag that contributed to the problem....

     -Marty

Phil Wood wrote:
> 
> Let me know if there are any things to look at in this core file.
> 
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/lib/libz.so.1...done.
> Reading symbols from /lib/libm.so.6...done.
> Reading symbols from /lib/libnsl.so.1...done.
> Reading symbols from /usr/lib/mysql/libmysqlclient.so.6...done.
> Reading symbols from /lib/libc.so.6...done.
> Reading symbols from /lib/libcrypt.so.1...done.
> Reading symbols from /lib/ld-linux.so.2...done.
> Reading symbols from /lib/libnss_files.so.2...done.
> Reading symbols from /lib/libnss_nisplus.so.2...done.
> Reading symbols from /lib/libnss_nis.so.2...done.
> Reading symbols from /lib/libnss_dns.so.2...done.
> Reading symbols from /lib/libresolv.so.2...done.
> #0  0x8df6d74c in ?? ()
> (gdb) up
> #1  0x807f584 in FlushStream (s=0x8809bd8, p=0xbffff21c, direction=0)
>     at spp_stream4.c:2648
> 2648            gotevent = Preprocess(stream_pkt);
> (gdb) down
> #0  0x8df6d74c in ?? ()
> (gdb) where
> #0  0x8df6d74c in ?? ()
> #1  0x807f584 in FlushStream (s=0x8809bd8, p=0xbffff21c, direction=0)
>     at spp_stream4.c:2648
> #2  0x807d4f3 in ReassembleStream4 (p=0xbffff21c) at spp_stream4.c:1203
> #3  0x8059686 in Preprocess (p=0xbffff21c) at rules.c:3426
> #4  0x804c790 in ProcessPacket (user=0x0, pkthdr=0xbffff708, pkt=0x40547672 "")
>     at snort.c:540
> #5  0x8081b9c in packet_ring_recv ()
> #6  0x8081ed4 in pcap_read ()
> #7  0x8082c73 in pcap_loop ()
> #8  0x804e067 in InterfaceThread (arg=0x0) at snort.c:1572
> #9  0x804c674 in main (argc=21, argv=0xbffff8fc) at snort.c:473
> (gdb) list
> 2643        if(stream_size > 0 && ubi_trCount(s->dataPtr))
> 2644        {
> 2645            /* put the stream together into a packet or something */
> 2646            BuildPacket(s, stream_size, p, direction);
> 2647
> 2648            gotevent = Preprocess(stream_pkt);
> 2649
> 2650            //(void)ubi_trTraverse(s->dataPtr, SegmentCleanTraverse, s);
> 2651            SegmentCleanTraverse(s);
> 2652            /*bzero(stream_pkt->data, stream_size);*/
> (gdb) up
> #1  0x807f584 in FlushStream (s=0x8809bd8, p=0xbffff21c, direction=0)
>     at spp_stream4.c:2648
> 2648            gotevent = Preprocess(stream_pkt);
> (gdb) print *stream_pkt
> $1 = {pkth = 0x817baa0, pkt = 0x817bc20 "", fddihdr = 0x0, fddisaps = 0x0,
>   fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0,
>   trhmr = 0x0, sllh = 0x0, eh = 0x817bc20, vh = 0x0, ehllc = 0x0,
>   ehllcother = 0x0, ah = 0x0, iph = 0x817bbf0, orig_iph = 0x0,
>   ip_options_len = 0, ip_options_data = 0x0, tcph = 0x817bd80,
>   orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0,
>   orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0,
>   data = 0x817bf10 "njXVtStvsr3t7bOjqu7czyuyp83+7XjYP\r\nLaildnr4rMYtWX9fgfJnw9/aI+LPwvsG0rwL43vtO0933PaPslRG/wBhH+5X02Iy+lPdXPDo\r\nY+cTlPEXjjxZ4z1qfxR4p1u41G/lHzXFxNuYVvhcFCKsYYnFzkdLP+0V8Z7vwN/wrubxzqLe\r\nHZIvI+y4T/Vf88t+z"...,
>   dsize = 65259, frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000',
>   df = 0 '\000', rf = 0 '\000', sp = 80, dp = 39474, orig_sp = 0, orig_dp = 0,
>   caplen = 0, URI = {
>     uri = 0x817bf9a "zXFxNuYVvhcFCKsYYnFzkdLP+0V8Z7vwN/wrubxzqLe\r\nHZIvI+y4T/Vf88t+zft/2awjldOLv1N5ZjNqxwEF48MqTwO8Lx/cdH2PW8cPCJxyrTZ61cft\r\nR/Hy70S30Sb4pau9rabWQo3775fu7n++9cVPK6cXex6UsynLT+vyPP8Axd418S+OtfuPEvi3\r\nW7jUdVu"...,
>     length = 4}, ssnptr = 0x0, ip_options = {{code = 0 '\000', len = 0,
>       data = 0x0} <repeats 40 times>}, ip_option_count = 0,
>   ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0,
>       data = 0x0} <repeats 40 times>}, tcp_option_count = 0,
>   tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000',
>   packet_flags = 2147483650, wire_packet = 0 '\000'}
> (gdb) print stream_pkt->pkth
> $2 = (struct pcap_pkthdr *) 0x817baa0
> (gdb) print *stream_pkt->pkth
> $3 = {ts = {tv_sec = 999204548, tv_usec = 363279}, caplen = 65313,
>   len = 65313, ifindex = 0, protocol = 0, pkt_type = 0 '\000'}
> (gdb)
> $4 = {ts = {tv_sec = 999204548, tv_usec = 363279}, caplen = 65313,
>   len = 65313, ifindex = 0, protocol = 0, pkt_type = 0 '\000'}
> (gdb) print s
> $5 = (Stream *) 0x0
> (gdb) list
> 2643        if(stream_size > 0 && ubi_trCount(s->dataPtr))
> 2644        {
> 2645            /* put the stream together into a packet or something */
> 2646            BuildPacket(s, stream_size, p, direction);
> 2647
> 2648            gotevent = Preprocess(stream_pkt);
> 2649
> 2650            //(void)ubi_trTraverse(s->dataPtr, SegmentCleanTraverse, s);
> 2651            SegmentCleanTraverse(s);
> 2652            /*bzero(stream_pkt->data, stream_size);*/

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list