[Snort-devel] another snort-1.8-RELEASE core

Michael Anderson mca at ...498...
Wed Jul 11 13:44:11 EDT 2001


I just got another core dump with snort-1.8-RELEASE. My backtrace looks
like this:
(gdb) bt
#0  0x4020f4e1 in __kill () from /lib/libc.so.6
#1  0x4020f2ba in raise (sig=6) at ../sysdeps/posix/raise.c:27
#2  0x40210a82 in abort () at ../sysdeps/generic/abort.c:88
#3  0x40208eba in __assert_fail () at assert.c:60
#4  0x805603f in Preprocess (p=0xbffff3b0) at rules.c:3427
#5  0x804baab in ProcessPacket (user=0x0, pkthdr=0xbffff870,
pkt=0x80d32f2 "") at snort.c:512
#6  0x8078772 in pcap_read ()
#7  0x807912f in pcap_loop ()
#8  0x804ce58 in InterfaceThread (arg=0x0) at snort.c:1441
#9  0x804b97b in main (argc=5, argv=0xbffffa54) at snort.c:445
#10 0x401feb65 in __libc_start_main (main=0x804b31c <main>, argc=5,
ubp_av=0xbffffa54, init=0x804a6c4 <_init>,
    fini=0x8082bbc <__do_global_ctors_aux+44>, rtld_fini=0x4000df24
<_dl_fini>, stack_end=0xbffffa4c)
    at ../sysdeps/generic/libc-start.c:111

I took a look at the code and found that snort crashed while trying to
do the following in rules.c line 3426:
assert(idx->func != NULL);

idx is a pointer to the list PreprocessFuncNode. idx is set to point to
the global list PreprocessList (a list containing all of the
preprocessor functions). The list is then traversed to call each
preprocessor function. It appears that at some point while traversing
the list, the func attribute is NULL causing the assertion to fail. I
added the following line to the AddFuncToPreprocList in rules.c after
line number 1370:
idx->next = NULL;

I'm assuming the crash was caused because pointers are not being
initialized to NULL and at some point snort is accessing random memory
while trying to read the list.  I've had snort up and running for 3
hours since I made this change.

-Mike





More information about the Snort-devel mailing list