[Snort-devel] another snort-1.8-RELEASE core

Martin Roesch roesch at ...402...
Mon Jul 16 23:45:02 EDT 2001


Hi guys,
     Something else is getting hammered in there, those pointers are
initialized to NULL in the calloc above the rest of the code, something
is stomping the pointers hard.  I'm working on a fix, hopefully I'll
have something put together shortly.

     -Marty

"Jason A. Haynes" wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'd say that's a good call, Mike; saw a couple crashes reported on
> snort-users about that assertion too.  Here's a patch against the current
> cvs which I think NULLs out the remaining two cases, including the one you
> found.
> 
> - --
> Hey, if you can't remember when you booted it, it ain't
> windoze.                                - CyberPeasant
> 
> On Wed, 11 Jul 2001, Michael Anderson wrote:
> 
> > I just got another core dump with snort-1.8-RELEASE. My backtrace looks
> > like this:
> > (gdb) bt
> > #0  0x4020f4e1 in __kill () from /lib/libc.so.6
> > #1  0x4020f2ba in raise (sig=6) at ../sysdeps/posix/raise.c:27
> > #2  0x40210a82 in abort () at ../sysdeps/generic/abort.c:88
> > #3  0x40208eba in __assert_fail () at assert.c:60
> > #4  0x805603f in Preprocess (p=0xbffff3b0) at rules.c:3427
> > #5  0x804baab in ProcessPacket (user=0x0, pkthdr=0xbffff870,
> > <snip!>
> >
> > I took a look at the code and found that snort crashed while trying to
> > do the following in rules.c line 3426:
> > assert(idx->func != NULL);
> >
> > idx is a pointer to the list PreprocessFuncNode. idx is set to point to
> > the global list PreprocessList (a list containing all of the
> > preprocessor functions). The list is then traversed to call each
> > preprocessor function. It appears that at some point while traversing
> > the list, the func attribute is NULL causing the assertion to fail. I
> > added the following line to the AddFuncToPreprocList in rules.c after
> > line number 1370:
> > idx->next = NULL;
> >
> > I'm assuming the crash was caused because pointers are not being
> > initialized to NULL and at some point snort is accessing random memory
> > while trying to read the list.  I've had snort up and running for 3
> > hours since I made this change.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> 
> iQA/AwUBO1H86rLjQl4gvHqLEQIyCgCg/ZEuc6g2Zl2s66aA6nHZnICOW1EAn1tp
> oV6ll8cyWuEYWShvPgYXSXhn
> =UlI2
> -----END PGP SIGNATURE-----
> 
>   ------------------------------------------------------------------------
>                     Name: rules.c.patch
>    rules.c.patch    Type: Plain Text (TEXT/PLAIN)
>                 Encoding: BASE64

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list