[Snort-devel] Another coredump in current CVS version

Christopher E. Cramer chris.cramer at ...219...
Thu Jan 18 12:13:07 EST 2001


The dynamic buffering is definitely a problem in environments where we may
be dropping packets.  This should be cleared up in the rewrite of the tcp
stream preprocessor.  The goal is to make it more robust against packet
loss.  I can make a quick patch to the preprocessor which should clear up
the coredump problem.  Look for it by tomorrow.

-Chris


On Thu, 18 Jan 2001, Martin Roesch wrote:

> Yeah, that NULL pointer is definitely a problem.  Chris (Cramer), are
> you on the trail here? :)
> 
>    -Marty
> 
> Erich Meier wrote:
> > 
> > Hi!
> > 
> > Another coredump in the current CVS version of snort. This time in
> > spp_tcp_stream.c:
> > 
> > # gdb /local/snort/bin/snort ./core
> > Program terminated with signal 11, Segmentation fault.
> > #0  0x31afc in TcpStreamPacket (p=0xeffff248) at spp_tcp_stream.c:428
> > 428                     if(sptr->s_buf[i-1] == 0xa || sptr->s_buf[i-1] == 0xd)
> > (gdb) bt
> > #0  0x31afc in TcpStreamPacket (p=0xeffff248) at spp_tcp_stream.c:428
> > #1  0x24100 in Preprocess (p=0xeffff248) at rules.c:3040
> > #2  0x19f2c in ProcessPacket (user=0x0, pkthdr=0xeffff6f8, pkt=0x77172 "")
> >     at snort.c:469
> > #3  0x3d79c in pcap_read ()
> > #4  0x3e4b0 in pcap_loop ()
> > #5  0x1af10 in InterfaceThread (arg=0x70054) at snort.c:1284
> > #6  0x19de0 in main (argc=12, argv=0xeffff8e4) at snort.c:403
> > (gdb) print i
> > $1 = 1299
> > (gdb) print sptr->s_buf
> > $2 = (unsigned char *) 0x0
> > (gdb) print sptr
> > $3 = (struct _TcpStreamSession *) 0x2c6658
> > (gdb)
> > 
> > Target platform is SPARC Solaris 2.6.
> > 
> > Maybe related to the design problems within session reassembly that Chris
> > mentioned lately.
> > 
> > Regards,
> > Erich
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> --
> Martin Roesch
> roesch at ...48...
> http://www.snort.org
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list