[Snort-devel] SegF during PruneSessionCache in stream4

Seth Leger soleger at ...511...
Wed Jul 11 13:32:15 EDT 2001


Happened after running for under an hour with the occasional Nessus 
scan. Here's the stack with some code lines added for reference:

====================

#0  0x806fedb in SubSlide (P=0x518b085d, whichway=0) at ubi_BinTree.c:390
390           P = P->Link[ whichway ];
#1  0x80702a0 in ubi_btNext (P=0x8070f34) at ubi_BinTree.c:874
874       return( Neighbor( P, ubi_trRIGHT ) );
#2  0x80736f1 in PruneSessionCache (thetime=994869518, mustdie=0) at 
spp_stream4.c:2295
2295                    idx = (Session *)ubi_btNext((ubi_btNodePtr)idx);
#3  0x8072047 in ReassembleStream4 (p=0xbffff1d0) at spp_stream4.c:1152
#4  0x8054d02 in Preprocess (p=0xbffff1d0) at rules.c:3427
#5  0x804a80b in ProcessPacket (user=0x0, pkthdr=0xbffff690, 
pkt=0x8312eb2 "") at snort.c:512
#6  0x8077110 in pcap_read ()
#7  0x80776ff in pcap_loop ()
#8  0x804bbb0 in InterfaceThread (arg=0x0) at snort.c:1441
#9  0x804a6db in main (argc=1, argv=0xbffff834) at snort.c:445
#10 0x40077f31 in __libc_start_main (main=0x804a07c <main>, argc=1, 
ubp_av=0xbffff834, init=0x80497b8 <_init>,
     fini=0x807e4fc <_fini>, rtld_fini=0x4000e274 <_dl_fini>, 
stack_end=0xbffff82c) at ../sysdeps/generic/libc-start.c:129

====================

I don't have a log of all of the alerts that were passed immediately 
before the crash, just the stream4 messages:

spp_stream4: STEALTH ACTIVITY (NULL scan) detection
spp_stream4: STEALTH ACTIVITY (NULL scan) detection
spp_stream4: STEALTH ACTIVITY (NULL scan) detection
spp_stream4: EVASIVE RST detection
spp_stream4: EVASIVE RST detection
spp_stream4: Possible RETRANSMISSION detection
spp_stream4: Possible RETRANSMISSION detection
spp_stream4: Possible RETRANSMISSION detection
spp_stream4: Possible RETRANSMISSION detection
;_;crash;_;

Looking at the vars, in Frame #1, that Neighbor function is passed a P 
with the following children and member vars:

(gdb) frame 1
#1  0x80702a0 in ubi_btNext (P=0x8070f34) at ubi_BinTree.c:874
874       return( Neighbor( P, ubi_trRIGHT ) );
(gdb) print P->Link[0]
$13 = (struct ubi_btNodeStruct *) 0x8be58955
(gdb) print P->Link[1]
$14 = (struct ubi_btNodeStruct *) 0x8b530c4d
(gdb) print P->Link[2]
$15 = (struct ubi_btNodeStruct *) 0x518b085d
(gdb) print P->gender
$16 = 16 '\020'
(gdb) print P->balance
$17 = -117 '\213'

That third one has some wacked-out memory address (0x518b085d) that's 
inaccessible and this is the address that is getting passed to SubSlide 
and causing the seg fault.

This is 1.8 compiled without Postgres, MySQL, or SSL support. I can 
provide more info if needed.

Seth Leger
soleger at ...511...





More information about the Snort-devel mailing list