[Snort-devel] Where to do the stuff?

Martin Roesch roesch at ...48...
Wed Jan 24 13:59:47 EST 2001


Todd Lewis wrote:
> 
> On Wed, 24 Jan 2001, Martin Roesch wrote:
> 
> > Please use strncmp() (actually, you should use strncasecmp()), people
> > send me nasty emails when the search for "overflows" in the Snort source
> > and see things like sprintf and strcmp and strcpy.
> 
> Leaving aside the fact that if they can plant a buffer overflow in your
> config file, they, like, already have access to your config file and
> stuff, I will do this.

I know, but anything that reduces the amount of "Snort uses foo(), it's
vulnerable to bar" mail I get is a Good Thing. :)  Besides, we've
already hit the maximum number of buffer overflows allowed by the Geneva
Convention on Open Source Security Programs with Security Holes In Them,
so I'm afraid you'll have to wait until we clean some of the existing
ones up. :)

> > Put it in rules.c:EvalOpts() in the last "else" section, that's the code
> > that gets called when a OTN has a successful match (hmm, someone should
> > comment that... ;).  Here's the code block I'm talking about:
> >
> >     else
> >     {
> >         /* rule match actions are called from EvalHeader */
> >         otn_tmp = List;
> >         return 1;
> >     }
> 
> Wow, this was much cleaned up betwixt 1.6 and 1.7.  Ok, I will stick it
> around there.

Yeah, if you weren't so far along I'd say use the 1.6.3-patch2 codebase,
but 1.7 has a huge number of changes in it (Mike Davis said the diff was
1.8 MB when he went to do the Windows port). :)

   -Marty


--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list