[Snort-devel] Three bugs ?

Martin Roesch roesch at ...48...
Fri Jan 26 00:35:16 EST 2001


Thanks for the patch Peter!  I had already caught the buffer overflow in
the PrintNetData() code a few weeks ago and put it into CVS, but the
other stuff is nice.  Thanks again!

    -Marty

Peter Kosinar wrote:
> 
> Hi Snorters,
> 
> First, this is the first time I've been playing with snort, so I'd like to
> apologise if the bugs I've found are not real bugs (features?), and/or they
> have been already fixed.  All these problems were found when I played with
> good old DoS-es like nestea.
> 
> 1) log.c:PrintNetData()      This function contains buffer overflow.
> The original intention was to display only first 0x20 bytes of data if
> length is set to very high value.  For this purpose, data_dump_buffer is
> allocated to 2*length_of_one_line + 1, which is OK.  However, end (pointer
> to the end of displayed data) is set to  start+32, which means that we want
> to display 0x21 (!) bytes of data.  Thus, this function overflows its
> buffer, which usually leads to segv.
> 
> 2) spp_anomsensor.c: PreprocSpadeSurvey()/free_links()    Missing NULL check
> This function can call (for example, on a very quiet network) free_links()
> with NULL pointer, which causes immediate SEGV (in free_links()).  It is
> either possible to add check for NULL into free_links() (which should be
> more suitable), or you can check for NULL just in PreprocSpadeSurvey()
> (I have not checked other calls to free_links(), but it is possible that
> they can cause similar problem).
> 
> 3) A few tiny mistakes (like #include "spp_http_decode.h" in spp_minfrag.c)
> 
> All these problems are (hot-)fixed by attached patch.  I think that at
> least problem 2) [cs]hould be fixed in much better way, but as I said,
> this is just quickfix.
> 
> Peter Kosinar
> 
>   ------------------------------------------------------------------------
>                Name: THREEFIX
>    THREEFIX    Type: Plain Text (TEXT/PLAIN)
>            Encoding: BASE64

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list