[Snort-devel] More spp_arpspoof crashing on solaris 2.6

Bill Marquette wlmarque at ...10...
Tue Jul 10 13:45:21 EDT 2001



I've seen this before on Solaris...mac addresses don't seem to be byte aligned
properly.  Attached is a diff that appears to fix the core I had (it's been
running for over 2 minutes now where it died in under 5 seconds previously).

--Bill

*** spp_arpspoof.c      Tue Jul 10 12:54:51 2001
--- spp_arpspoof.c.orig Tue Jul 10 12:54:02 2001
***************
*** 195,201 ****
      Event event;
      char logMessage[180];
      IPMacEntry *ipme;
!       u_int8_t addr[6];

      if(p && (p->eh != NULL && p->ah != NULL))
      {
--- 195,201 ----
      Event event;
      char logMessage[180];
      IPMacEntry *ipme;
!       u_int32_t *addr;

      if(p && (p->eh != NULL && p->ah != NULL))
      {
***************
*** 249,255 ****
                  break;
          }
                /* LookupIPMacEntryByIP() is too slow, will be fixed later */
!               bcopy((void *)&p->ah->arp_spa, (void *)addr, sizeof(u_int8_t) *
6);
          if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL)
            {((ipme
                #ifdef DEBUG
--- 249,255 ----
                  break;
          }
                /* LookupIPMacEntryByIP() is too slow, will be fixed later */
!               addr = (u_int32_t *)&p->ah->arp_spa;
          if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL)
            {((ipme
                #ifdef DEBUG


------------------------
Core was generated by `/apps/snort/current/bin/snort -o -c
/apps/snort/current/etc/snort.conf -i le0'.
Program terminated with signal 10, Bus Error.
Reading symbols from /usr/lib/libm.so.1...done.
Reading symbols from /usr/lib/libsocket.so.1...done.
Reading symbols from /usr/lib/libnsl.so.1...done.
Reading symbols from /usr/lib/libc.so.1...done.
Reading symbols from /usr/lib/libdl.so.1...done.
Reading symbols from /usr/lib/libmp.so.2...done.
Reading symbols from /usr/lib/nss_files.so.1...done.
#0  0x526e8 in ARPspoofPreprocFunction (p=0xeffff3c8) at spp_arpspoof.c:253
253             if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL)
(gdb) bt
#0  0x526e8 in ARPspoofPreprocFunction (p=0xeffff3c8) at spp_arpspoof.c:253
#1  0x2be18 in Preprocess (p=0xeffff3c8) at rules.c:3427
#2  0x1fee8 in ProcessPacket (user=0x0, pkthdr=0xbc800, pkt=0xc379e "ÿÿÿÿÿÿ") at
snort.c:512
#3  0x52ba8 in pcap_read ()
#4  0x537a8 in pcap_loop ()
#5  0x214f4 in InterfaceThread (arg=0xbc838) at snort.c:1441
#6  0x1fd84 in main (argc=772152, argv=0xeffffac4) at snort.c:445
(gdb) p ipme
$1 = (IPMacEntry *) 0x82c00
(gdb) p ipmel
$2 = (IPMacEntryList *) 0xf2540
(gdb) p p
$3 = (Packet *) 0xeffff3c8
(gdb) p *p
$4 = {pkth = 0xeffff8b8, pkt = 0xc379e "ÿÿÿÿÿÿ", fddihdr = 0x0, fddisaps = 0x0,
fddisna = 0x0,
  fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh =
0x0, eh = 0xc379e, vh = 0x0,
  ehllc = 0x0, ehllcother = 0x0, ah = 0xc37ac, iph = 0x0, orig_iph = 0x0,
ip_options_len = 0,
  ip_options_data = 0x0, tcph = 0x0, orig_tcph = 0x0, tcp_options_len = 0,
tcp_options_data = 0x0,
  udph = 0x0, orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, data =
0x0, dsize = 0,
  frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0
'\000', sp = 0, dp = 0,
  orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, length = 0}, ssnptr =
0x0, ip_options = {{
      code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, ip_option_count
= 0,
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, data =
0x0} <repeats 40 times>},
  tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000',
packet_flags = 0,
  wire_packet = 0 '\000'}
(gdb) p *p->ah
$5 = {ea_hdr = {ar_hrd = 1, ar_pro = 2048, ar_hln = 6 '\006', ar_pln = 4 '\004',
ar_op = 1},
  arp_sha = "\000\000¢Ë)Ù", arp_spa = "\n\024\017þ", arp_tha = "ÿÿÿÿÿÿ", arp_tpa
= "\n\024\013O"}






More information about the Snort-devel mailing list