[Snort-devel] [ snort-Bugs-443721 ] Icmp miss handled

noreply at ...12... noreply at ...12...
Mon Jul 23 03:35:22 EDT 2001


Bugs item #443721, was opened at 2001-07-23 00:35
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=443721&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Icmp miss handled

Initial Comment:
Snort could be lead to segfault while receiving some 
specially built icmp
packets.

The problem is due to ip packets whose protocol field 
is set to 1 (IPPROTO_ICMP)
but whose size don't permit them to contain the full 
icmp header

snort-1.8p1/log.c :

char *IcmpFileName(Packet * p)
{
  switch(p->icmph->type)
    {
...

The denial of service is provocated when icmph is set 
to NULL.

snort-1.8p1/decode.c :

void DecodeICMP(u_int8_t * pkt, const u_int32_t len, 
Packet * p)
{
    u_int16_t csum;
    if(len < sizeof(ICMPHdr))
    {
        if(pv.verbose_flag)
        {
            ErrorMessage("[!] WARNING: Truncated ICMP 
header(%d bytes)\n", len);
        }
        if(pv.logbin_flag) LogBin(p, NULL, NULL, NULL);

        p->icmph = NULL;
        pc.discards++;
        return;
    }
...

icmph is set to NULL when the ip data length is less 
than icmp header size. 

snort-1.8p1/decode.h : 

typedef struct _ICMPHdr
{
    u_int8_t type;
    u_int8_t code;
    u_int16_t csum;
    u_int32_t data;
}        ICMPHdr;

sizeof(ICMPHdr) -> 8;

-----

Conditions needed to raise a segfault in snort are to 
receive an icmp
packet matching any rule to be logued with (ip-
>tot_len - (ip->ihl * 4)) < 8

Simples rules to match are present in misc.rules:

alert ip any any -> any any (msg:"MISC same SRC/DST"; 
sameip; classtype:bad-unknown; sid:527; rev:1;)
alert ip any any <> 127.0.0.0/8 any (msg:"MISC 
loopback traffic"; classtype:bad-unknown; sid:528; 
rev:1;)


Here is a patch for snort-1.8p1

root at ...554... ~> cd snort
root at ...554... snort> patch < patch-snort

-------------- CUT THERE - patch-snort - CUT THERE ----
----------------------------
Common subdirectories: snort.old/CVS and snort/CVS
Common subdirectories: snort.old/contrib and 
snort/contrib
diff -u snort.old/log.c snort/log.c
--- snort.old/log.c     Tue Jul 10 04:47:17 2001
+++ snort/log.c Tue Jul 17 16:27:30 2001
@@ -2251,9 +2251,11 @@
  
*******************************************************
********************/
 char *IcmpFileName(Packet * p)
 {
-    switch(p->icmph->type)
+  if (!(p->icmph))
+    return ("ICMP_TRUNC");
+  switch(p->icmph->type)
     {
-        case ICMP_ECHOREPLY:
+    case ICMP_ECHOREPLY:
             return "ECHO_REPLY";
 
         case ICMP_DEST_UNREACH:
Common subdirectories: snort.old/templates and 
snort/templates

xxxxxxxxxxxxxx
xxxxxxxxxxxxxx
xxxxxxxxxxxxxx

Sorry for my poor english.

sebas7ien at ...555...



----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=443721&group_id=3357




More information about the Snort-devel mailing list