[Snort-devel] Re: Bug in stream reassembly preprocessor

Christopher Cramer cec at ...56...
Fri Jan 5 16:24:36 EST 2001


Howard,

This is definitely a bug.  I didn't have access to a FDDI network when
writing the preprocessor so I never ran across the problem.  The problem
is that I am creating a reconstructed Ethernet packet from the TCP data.  
Unfortunately, when passed to the FDDI packet grinder, we bomb out.  This
should be a fairly simple fix.  For right now, just comment out the
preprocessor and I'll fix the CVS'd version this weekend.

-Chris


On Fri, 5 Jan 2001, Howard M. Kash III wrote:

> 
> I'm running snort (currently 1.7-beta8) on an FDDI network and it
> core dumps periodically when I enable the stream reassembly
> preprocessor.  Within the preprocessor, it appears to build an
> ethernet packet of the buffered stream.  But when this packet
> is processed, the DecodeFDDIPkt() function is used.  I haven't
> had time to trace this out in detail, but wanted to check if
> this is a logical explanation for the problem before I spent
> too much time on it.  This is under Solaris 2.5.1.  GDB
> output is attached.
> 
> 
> Thanks,
> Howard Kash
> U.S. Army Research Lab
> 
> ---------
> 
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/lib/libm.so.1...done.
> Reading symbols from /usr/lib/libsocket.so.1...done.
> Reading symbols from /usr/lib/libnsl.so.1...done.
> Reading symbols from /usr/lib/libc.so.1...done.
> Reading symbols from /usr/lib/libdl.so.1...done.
> Reading symbols from /usr/lib/libintl.so.1...done.
> Reading symbols from /usr/lib/libmp.so.1...done.
> Reading symbols from /usr/lib/libw.so.1...done.
> Reading symbols from /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1...done.
> Reading symbols from /usr/lib/nss_files.so.1...done.
> #0  DecodeFDDIPkt (p=0xefffef20, pkthdr=0x76868, pkt=0x76878 "")
>     at /usr/gnu/lib/gcc-lib/sparc-sun-solaris2.3/2.7.2/include/sys/byteorder.h:123
> 123       return __arg;
> (gdb) where
> #0  DecodeFDDIPkt (p=0xefffef20, pkthdr=0x76868, pkt=0x76878 "")
>     at /usr/gnu/lib/gcc-lib/sparc-sun-solaris2.3/2.7.2/include/sys/byteorder.h:123
> #1  0x124f4 in ProcessPacket (user=0x0, pkthdr=0x76868, pkt=0x76878 "")
>     at snort.c:413
> #2  0x2a320 in TcpStreamPacketize (pb=0xeffff538, buf=0x584f00 "", psize=8, 
>     server_packet=1) at spp_tcp_stream.c:879
> #3  0x29b34 in TcpStreamPacket (p=0xeffff538) at spp_tcp_stream.c:477
> #4  0x1c140 in Preprocess (p=0xeffff538) at rules.c:3002
> #5  0x12614 in ProcessPacket (user=0x0, pkthdr=0xeffff9e8, pkt=0x70203 "P")
>     at snort.c:462
> #6  0x3d240 in pcap_offline_read ()
> #7  0x36b74 in pcap_loop ()
> #8  0x13618 in InterfaceThread (arg=0x66720) at snort.c:1271
> #9  0x124cc in main (argc=0, argv=0xeffffbcc) at snort.c:396
> 





More information about the Snort-devel mailing list