[Snort-devel] Snort 1.7 SegFaults Reading a Bad Rule File

Crist J. Clark cjclark at ...236...
Sat Jan 27 19:47:48 EST 2001


Snort 1.7 segfaults reading the rule file if whitespace immediately
follows a '!' in an address specification. For example, the following
file produces a crash,

  buttercup# cat badrule.conf
  #
  # badrule.conf
  #

  pass tcp any any -> ! 192.168.0.0/24 any

  buttercup# ./snort -c badrule.conf -l .
  
          --== Initializing Snort ==--

  Initializing Network Interface ep0
  Decoding Ethernet on interface ep0
  Initializing Preprocessors!
  Initializing Plug-ins!
  Initializating Output Plugins!

  +++++++++++++++++++++++++++++++++++++++++++++++++++
  Initializing rule chains...
  Segmentation fault
  buttercup#

In the ParseIP routine of rules.c.

I guess you can say that whitespace is not allowed there, but Snort
should flag the error and not core dump. It took me a long time to
figure out what the problem in my rules file was when I found this
bug. 

Personally, I like allowing the extra whitespace. But the easiest fix
is probably to flag it as an error. I nosed around ParseIP() and
mSplit(), but I could not decide on the most correct way to fix this
behavior.
-- 
Crist J. Clark                           cjclark at ...235...




More information about the Snort-devel mailing list