[Snort-devel] A seg fault in frag2 Version 1.8.1-beta5 (Build 59)

Phil Wood cpw at ...86...
Mon Jul 30 17:37:50 EDT 2001


This is from radiocity, not running output database plugin.  As to be expected,
no more seg faults related to corrupt stream4 structure.  However, I got this
one.  Maybe this is know about?  I've been tied up tracking the output database
related seg fault.

Any suggestions on how to proceed appreciated.

The RootPtr is screwed up in Frag2 related processing.

# gdb snort cay20010730.0956
(gdb) where
#0  ubi_btInsert (RootPtr=0x48, NewNode=0x893bc58, ItemPtr=0x893bc58, 
    OldNode=0xbfffee9c) at ubi_BinTree.c:637
#1  0x8077825 in ubi_sptInsert (RootPtr=0x48, NewNode=0x893bc58, 
    ItemPtr=0x893bc58, OldNode=0x0) at ubi_SplayTree.c:317
#2  0x807c07e in InsertFrag (p=0xbfffef7c, ft=0x87e6688) at spp_frag2.c:534
#3  0x807be72 in Frag2Defrag (p=0xbfffef7c) at spp_frag2.c:430
#4  0x8058416 in Preprocess (p=0xbfffef7c) at rules.c:3427
#5  0x804c790 in ProcessPacket (user=0x0, pkthdr=0xbffff468, pkt=0x4053c672 "")
    at snort.c:519
#6  0x807ce6c in packet_ring_recv ()
#7  0x807d1a4 in pcap_read ()
#8  0x807df43 in pcap_loop ()
#9  0x804deef in InterfaceThread (arg=0x0) at snort.c:1450
#10 0x804c674 in main (argc=20, argv=0xbffff65c) at snort.c:452
(gdb) up
#1  0x8077825 in ubi_sptInsert (RootPtr=0x48, NewNode=0x893bc58, 
    ItemPtr=0x893bc58, OldNode=0x0) at ubi_SplayTree.c:317
317       if( ubi_btInsert( RootPtr, NewNode, ItemPtr, OldNode ) )
(gdb) up
#2  0x807c07e in InsertFrag (p=0xbfffef7c, ft=0x87e6688) at spp_frag2.c:534
534         if(ubi_sptInsert(ft->fraglistPtr, (ubi_btNodePtr)newfrag, 

(gdb) print *p
$1 = {pkth = 0xbffff468, pkt = 0x4053c672 "", fddihdr = 0x0, fddisaps = 0x0, 
  fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, 
  trhmr = 0x0, sllh = 0x0, eh = 0x4053c672, vh = 0x0, ehllc = 0x0, 
  ehllcother = 0x0, ah = 0x0, iph = 0x4053c680, orig_iph = 0x0, 
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x0, orig_tcph = 0x0, 
  tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, orig_udph = 0x0, 
  icmph = 0x0, orig_icmph = 0x0, ext = 0x0, data = 0x4053c694 "obal", 
  dsize = 1480, frag_flag = 1 '\001', frag_offset = 185, mf = 1 '\001', 
  df = 0 '\000', rf = 0 '\000', sp = 0, dp = 0, orig_sp = 0, orig_dp = 0, 
  caplen = 0, URI = {uri = 0x0, length = 0}, ssnptr = 0x0, ip_options = {{
      code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, 
  ip_option_count = 0, ip_lastopt_bad = 0 '\000', tcp_options = {{
      code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, 
  tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', 
  packet_flags = 0, wire_packet = 0 '\000'}
(gdb) x /32 0x4053c672
0x4053c672:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
0x4053c682:     0x59e8dc05      0x11f9b920      0xfd86eb03      0xa58015a4
0x4053c692:     0x626f5b03      0x00006c61      0x00000100      0x00000800
0x4053c6a2:     0x00000000      0x00000000      0x00000400      0x00001000
0x4053c6b2:     0x0000800d      0x656e0900      0x74665f6d      0x00657079
0x4053c6c2:     0x00000000      0x00000000      0x00000000      0x00000000
0x4053c6d2:     0x00000400      0x00000400      0x0000900d      0x6e690a00
0x4053c6e2:     0x5f6e5f74      0x74617473      0x00000000      0x00000100

   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 1500           |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 59481        | | |M| Fragment Offset = 185   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=249    | Protocol = 17 | Header Checksum = 1003        |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 134.253.164.21                              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 128.165.3.91                           |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

(gdb) list
529         memcpy(newfrag->data, p->data, p->dsize);
530         
531         newfrag->offset = p->frag_offset << 3;
532         newfrag->size = p->dsize;
533
534         if(ubi_sptInsert(ft->fraglistPtr, (ubi_btNodePtr)newfrag, 
535                     (ubi_btNodePtr)newfrag, (ubi_btNodePtr*)dup) == FALSE)
536         {
537             LogMessage("NewFragTracker: sptInsert failed, that sucks\n");
538         }
(gdb) print ft
$2 = (FragTracker *) 0x87e6688
(gdb) x /48 0x87e6688
0x87e6688:      0x0898ea00      0x08685740      0x088668c8      0x00000101
0x87e6698:      0x15a4fd86      0x5b03a580      0x001159e8      0x00000001
0x87e66a8:      0x00000000      0x00000000      0x00000000      0x00000000
0x87e66b8:      0x00000000      0x0807b8d8      0x00000000      0x00000001
0x87e66c8:      0x00000048      0x00000090      0x088729d8      0x086828b8
0x87e66d8:      0x08739428      0x00000100      0x04837341      0x00040050
0x87e66e8:      0x45ec8725      0x45ec8726      0x45ec928e      0x45ec928e
0x87e66f8:      0x00002238      0x00000002      0x000005a8      0x00000000
0x87e6708:      0x080782dc      0x00000000      0x00000000      0x087e6704
0x87e6718:      0x509ca580      0x0004632b      0x54507644      0x545077e1
0x87e6728:      0x545077e1      0x545077e1      0x000042d4      0x00000005
0x87e6738:      0x0000019c      0x00000000      0x080782dc      0x00000000
(gdb) print *ft
$3 = {Node = {Link = {0x898ea00, 0x8685740, 0x88668c8}, gender = 1 '\001', 
    balance = 1 '\001'}, sip = 363134342, dip = 1526965632, id = 23016, 
  protocol = 17 '\021', frag_flags = 1, last_frag_time = 0, frag_bytes = 0, 
  calculated_size = 0, frag_pkts = 0, fraglist = {root = 0x0, 
    cmp = 0x807b8d8 <Frag2FragCompare>, count = 0, flags = 1 '\001'}, 
  fraglistPtr = 0x48}




More information about the Snort-devel mailing list