[Snort-devel] Bug in stream reassembly preprocessor

Howard M. Kash III hmkash at ...184...
Fri Jan 5 16:13:48 EST 2001


I'm running snort (currently 1.7-beta8) on an FDDI network and it
core dumps periodically when I enable the stream reassembly
preprocessor.  Within the preprocessor, it appears to build an
ethernet packet of the buffered stream.  But when this packet
is processed, the DecodeFDDIPkt() function is used.  I haven't
had time to trace this out in detail, but wanted to check if
this is a logical explanation for the problem before I spent
too much time on it.  This is under Solaris 2.5.1.  GDB
output is attached.


Thanks,
Howard Kash
U.S. Army Research Lab

---------

Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libm.so.1...done.
Reading symbols from /usr/lib/libsocket.so.1...done.
Reading symbols from /usr/lib/libnsl.so.1...done.
Reading symbols from /usr/lib/libc.so.1...done.
Reading symbols from /usr/lib/libdl.so.1...done.
Reading symbols from /usr/lib/libintl.so.1...done.
Reading symbols from /usr/lib/libmp.so.1...done.
Reading symbols from /usr/lib/libw.so.1...done.
Reading symbols from /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1...done.
Reading symbols from /usr/lib/nss_files.so.1...done.
#0  DecodeFDDIPkt (p=0xefffef20, pkthdr=0x76868, pkt=0x76878 "")
    at /usr/gnu/lib/gcc-lib/sparc-sun-solaris2.3/2.7.2/include/sys/byteorder.h:123
123       return __arg;
(gdb) where
#0  DecodeFDDIPkt (p=0xefffef20, pkthdr=0x76868, pkt=0x76878 "")
    at /usr/gnu/lib/gcc-lib/sparc-sun-solaris2.3/2.7.2/include/sys/byteorder.h:123
#1  0x124f4 in ProcessPacket (user=0x0, pkthdr=0x76868, pkt=0x76878 "")
    at snort.c:413
#2  0x2a320 in TcpStreamPacketize (pb=0xeffff538, buf=0x584f00 "", psize=8, 
    server_packet=1) at spp_tcp_stream.c:879
#3  0x29b34 in TcpStreamPacket (p=0xeffff538) at spp_tcp_stream.c:477
#4  0x1c140 in Preprocess (p=0xeffff538) at rules.c:3002
#5  0x12614 in ProcessPacket (user=0x0, pkthdr=0xeffff9e8, pkt=0x70203 "P")
    at snort.c:462
#6  0x3d240 in pcap_offline_read ()
#7  0x36b74 in pcap_loop ()
#8  0x13618 in InterfaceThread (arg=0x66720) at snort.c:1271
#9  0x124cc in main (argc=0, argv=0xeffffbcc) at snort.c:396





More information about the Snort-devel mailing list