[Snort-devel] Seg fault on specific rule

Seth Leger soleger at ...511...
Tue Jul 10 15:03:33 EDT 2001


	I'm getting a reproducible seg fault when hitting a specific rule 
triggered by a Nessus scan. The rule is the "MISC same SRC/DST" rule and 
it's causing a seg fault because it's hitting a null pointer in log.c.

Here's the stack trace:

==============================

#0  0x8050ff1 in IcmpFileName (p=0xbffff1d0) at log.c:2254
2254        switch(p->icmph->type)
(gdb) bt
#0  0x8050ff1 in IcmpFileName (p=0xbffff1d0) at log.c:2254
#1  0x804e9c1 in OpenLogFile (mode=0, p=0xbffff1d0) at log.c:178
#2  0x804f7ec in LogPkt (p=0xbffff1d0, msg=0x84c3528 "MISC same 
SRC/DST", arg=0x0, event=0x84c3304) at log.c:1199
#3  0x8055bd2 in CallLogFuncs (p=0xbffff1d0, message=0x84c3528 "MISC 
same SRC/DST", head=0x809ead8, event=0x84c3304)
     at rules.c:3468
#4  0x8056b92 in AlertAction (p=0xbffff1d0, otn=0x84c2ae0, 
event=0x84c3304) at rules.c:4924
#5  0x8055f9c in EvalHeader (rtn_idx=0x81a92c0, p=0xbffff1d0) at 
rules.c:3774
#6  0x8055e82 in EvalPacket (List=0x809ead8, mode=2, p=0xbffff1d0) at 
rules.c:3679
#7  0x8055cf0 in Detect (p=0xbffff1d0) at rules.c:3565
#8  0x8055b37 in Preprocess (p=0xbffff1d0) at rules.c:3433
#9  0x804b67b in ProcessPacket (user=0x0, pkthdr=0xbffff690, 
pkt=0x84c466a "") at snort.c:512
#10 0x807919c in pcap_read ()
#11 0x807978b in pcap_loop ()
#12 0x804ca20 in InterfaceThread (arg=0x0) at snort.c:1441
#13 0x804b54b in main (argc=1, argv=0xbffff834) at snort.c:445
#14 0x401b1f31 in __libc_start_main (main=0x804aeec <main>, argc=1, 
ubp_av=0xbffff834, init=0x804a2b8 <_init>,
     fini=0x808058c <_fini>, rtld_fini=0x4000e274 <_dl_fini>, 
stack_end=0xbffff82c)
     at ../sysdeps/generic/libc-start.c:129

==============================

The packet that it's looking at has p->iph->ip_proto == 1 == 
IPPROTO_ICMP but the p->icmph and p->tcph are NULL. The p->udph is 
non-NULL, so maybe something's misinterpreting this as an ICMP packet 
when it should be UDP?

If you need any more info about this one, just let me know. This is all 
with the 1.8 code.

Seth Leger
soleger at ...511...





More information about the Snort-devel mailing list