[Snort-devel] Three bugs ?

Peter Kosinar goober at ...228...
Thu Jan 25 13:40:56 EST 2001


Hi Snorters,

First, this is the first time I've been playing with snort, so I'd like to
apologise if the bugs I've found are not real bugs (features?), and/or they
have been already fixed.  All these problems were found when I played with
good old DoS-es like nestea.

1) log.c:PrintNetData()      This function contains buffer overflow.
The original intention was to display only first 0x20 bytes of data if
length is set to very high value.  For this purpose, data_dump_buffer is
allocated to 2*length_of_one_line + 1, which is OK.  However, end (pointer
to the end of displayed data) is set to  start+32, which means that we want
to display 0x21 (!) bytes of data.  Thus, this function overflows its
buffer, which usually leads to segv.

2) spp_anomsensor.c: PreprocSpadeSurvey()/free_links()    Missing NULL check
This function can call (for example, on a very quiet network) free_links()
with NULL pointer, which causes immediate SEGV (in free_links()).  It is
either possible to add check for NULL into free_links() (which should be
more suitable), or you can check for NULL just in PreprocSpadeSurvey()
(I have not checked other calls to free_links(), but it is possible that
they can cause similar problem).

3) A few tiny mistakes (like #include "spp_http_decode.h" in spp_minfrag.c)


All these problems are (hot-)fixed by attached patch.  I think that at
least problem 2) [cs]hould be fixed in much better way, but as I said,
this is just quickfix.

Peter Kosinar
-------------- next part --------------
diff -u snort-1.7/log.c snort-1.7.my/log.c
--- snort-1.7/log.c	Fri Jan  5 17:21:18 2001
+++ snort-1.7.my/log.c	Thu Jan 25 00:24:08 2001
@@ -311,7 +311,7 @@
         }
 
         /* dbuf_size = 66 + 67; */
-        end = start + 32;
+        end = start + 31;
     }
     else
     {
@@ -1744,7 +1744,7 @@
             break;
         case ICMP_ECHO:
             fprintf(fp, "ID:%d   Seq:%d  ", ntohs(p->ext->id), ntohs(p->ext->seqno));
-            fwrite("ECHO\n", 4, 1, fp);
+            fwrite("ECHO", 4, 1, fp);
             break;
 
         case ICMP_TIME_EXCEEDED:
diff -u snort-1.7/spp_anomsensor.c snort-1.7.my/spp_anomsensor.c
--- snort-1.7/spp_anomsensor.c	Tue Jan  2 09:06:01 2001
+++ snort-1.7.my/spp_anomsensor.c	Thu Jan 25 01:05:58 2001
@@ -1377,7 +1377,8 @@
 			survey_interval_start_time= packet_time;
 		} else {
 			fprintf(survey_log,"%d\t%d\t%.6f\t%.6f\t%.6f\n",survey_period,survey_rec_count,survey_ostat(0.5),survey_ostat(0.9),survey_ostat(0.99));
-			free_links(survey_list);
+			fflush(survey_log);
+			if (survey_list) free_links(survey_list);
 			survey_list= NULL;
 			survey_list_len= 0;
 			survey_rec_count=0;
diff -u snort-1.7/spp_minfrag.c snort-1.7.my/spp_minfrag.c
--- snort-1.7/spp_minfrag.c	Tue Jan  2 09:06:01 2001
+++ snort-1.7.my/spp_minfrag.c	Mon Jan 22 19:26:25 2001
@@ -17,7 +17,7 @@
 */
 
 /* $Id: spp_minfrag.c,v 1.4 2001/01/02 08:06:01 roesch Exp $ */
-#include "spp_http_decode.h"
+#include "spp_minfrag.h"
 
 extern char *file_name;
 extern int file_line;


More information about the Snort-devel mailing list