[Snort-devel] [ snort-Bugs-443721 ] Icmp miss handled

Martin Roesch roesch at ...402...
Mon Jul 23 10:31:55 EDT 2001


Thanks, good catch.  Patched in CVS.

     -Marty

noreply at ...12... wrote:
> 
> Bugs item #443721, was opened at 2001-07-23 00:35
> You can respond by visiting:
> http://sourceforge.net/tracker/?func=detail&atid=103357&aid=443721&group_id=3357
> 
> Category: None
> Group: None
> Status: Open
> Resolution: None
> Priority: 5
> Submitted By: Nobody/Anonymous (nobody)
> Assigned to: Nobody/Anonymous (nobody)
> Summary: Icmp miss handled
> 
> Initial Comment:
> Snort could be lead to segfault while receiving some
> specially built icmp
> packets.
> 
> The problem is due to ip packets whose protocol field
> is set to 1 (IPPROTO_ICMP)
> but whose size don't permit them to contain the full
> icmp header
> 
> snort-1.8p1/log.c :
> 
> char *IcmpFileName(Packet * p)
> {
>   switch(p->icmph->type)
>     {
> ...
> 
> The denial of service is provocated when icmph is set
> to NULL.
> 
> snort-1.8p1/decode.c :
> 
> void DecodeICMP(u_int8_t * pkt, const u_int32_t len,
> Packet * p)
> {
>     u_int16_t csum;
>     if(len < sizeof(ICMPHdr))
>     {
>         if(pv.verbose_flag)
>         {
>             ErrorMessage("[!] WARNING: Truncated ICMP
> header(%d bytes)\n", len);
>         }
>         if(pv.logbin_flag) LogBin(p, NULL, NULL, NULL);
> 
>         p->icmph = NULL;
>         pc.discards++;
>         return;
>     }
> ...
> 
> icmph is set to NULL when the ip data length is less
> than icmp header size.
> 
> snort-1.8p1/decode.h :
> 
> typedef struct _ICMPHdr
> {
>     u_int8_t type;
>     u_int8_t code;
>     u_int16_t csum;
>     u_int32_t data;
> }        ICMPHdr;
> 
> sizeof(ICMPHdr) -> 8;
> 
> -----
> 
> Conditions needed to raise a segfault in snort are to
> receive an icmp
> packet matching any rule to be logued with (ip-
> >tot_len - (ip->ihl * 4)) < 8
> 
> Simples rules to match are present in misc.rules:
> 
> alert ip any any -> any any (msg:"MISC same SRC/DST";
> sameip; classtype:bad-unknown; sid:527; rev:1;)
> alert ip any any <> 127.0.0.0/8 any (msg:"MISC
> loopback traffic"; classtype:bad-unknown; sid:528;
> rev:1;)
> 
> Here is a patch for snort-1.8p1
> 
> root at ...554... ~> cd snort
> root at ...554... snort> patch < patch-snort
> 
> -------------- CUT THERE - patch-snort - CUT THERE ----
> ----------------------------
> Common subdirectories: snort.old/CVS and snort/CVS
> Common subdirectories: snort.old/contrib and
> snort/contrib
> diff -u snort.old/log.c snort/log.c
> --- snort.old/log.c     Tue Jul 10 04:47:17 2001
> +++ snort/log.c Tue Jul 17 16:27:30 2001
> @@ -2251,9 +2251,11 @@
> 
> *******************************************************
> ********************/
>  char *IcmpFileName(Packet * p)
>  {
> -    switch(p->icmph->type)
> +  if (!(p->icmph))
> +    return ("ICMP_TRUNC");
> +  switch(p->icmph->type)
>      {
> -        case ICMP_ECHOREPLY:
> +    case ICMP_ECHOREPLY:
>              return "ECHO_REPLY";
> 
>          case ICMP_DEST_UNREACH:
> Common subdirectories: snort.old/templates and
> snort/templates
> 
> xxxxxxxxxxxxxx
> xxxxxxxxxxxxxx
> xxxxxxxxxxxxxx
> 
> Sorry for my poor english.
> 
> sebas7ien at ...555...
> 
> ----------------------------------------------------------------------
> 
> You can respond by visiting:
> http://sourceforge.net/tracker/?func=detail&atid=103357&aid=443721&group_id=3357
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list