[Snort-devel] spp_frag2.c increments pc.frags, so does snort.c

Phil Wood cpw at ...86...
Tue Jul 31 16:05:56 EDT 2001


Fyodor,

Earlier I posted the following:

================================================================
*** snort/spp_stream4.c Tue Jul 24 08:50:21 2001
--- snort+/spp_stream4.c        Tue Jul 31 13:27:54 2001
***************
*** 1258,1261 ****
--- 1258,1262 ----
              DebugMessage(DEBUG_STREAM, "Dumping session\n");
              DeleteSession(ssn, p->pkth->ts.tv_sec);
+             p->ssnptr = 0;
          }
================================================================

which will eliminate one of the seg faults I've been seeing.  Maybe you want
to risk it?  %^)

I moved on to the next seg fault which occurs in spp_frag2 stuff.

** Notice the value of RootPtr in the call to ubi_btInsert.

gdb) bt
#0  ubi_btInsert (RootPtr=0x48, NewNode=0x8abea68, ItemPtr=0x8abea68, 
    OldNode=0xbffff1bc) at ubi_BinTree.c:637
#1  0x8077825 in ubi_sptInsert (RootPtr=0x48, NewNode=0x8abea68, 
    ItemPtr=0x8abea68, OldNode=0x0) at ubi_SplayTree.c:317
#2  0x807c08e in InsertFrag (p=0xbffff29c, ft=0x8abea20) at spp_frag2.c:534
#3  0x807be82 in Frag2Defrag (p=0xbffff29c) at spp_frag2.c:430
#4  0x8058416 in Preprocess (p=0xbffff29c) at rules.c:3427
#5  0x804c790 in ProcessPacket (user=0x0, pkthdr=0xbffff788, pkt=0x40346042 "")
    at snort.c:519
#6  0x807ce7c in packet_ring_recv ()
#7  0x807d1b4 in pcap_read ()
#8  0x807df53 in pcap_loop ()
#9  0x804deef in InterfaceThread (arg=0x0) at snort.c:1450
#10 0x804c674 in main (argc=20, argv=0xbffff97c) at snort.c:452

(gdb) up
#1  0x8077825 in ubi_sptInsert (RootPtr=0x48, NewNode=0x8abea68, 
    ItemPtr=0x8abea68, OldNode=0x0) at ubi_SplayTree.c:317
317       if( ubi_btInsert( RootPtr, NewNode, ItemPtr, OldNode ) )
(gdb) up
#2  0x807c08e in InsertFrag (p=0xbffff29c, ft=0x8abea20) at spp_frag2.c:534
534         if(ubi_sptInsert(ft->fraglistPtr, (ubi_btNodePtr)newfrag, 

** Notice that The FragRootPtr structure is empty at this time.

(gdb) print *FragRootPtr
$8 = {root = 0x0, cmp = 0x807b83c <Frag2CompareFunc>, count = 0, 
  flags = 0 '\000'}

If you look at the NewFragTracker and InsertFrag routines you
will find a couple of "sucks" LogMessages.  There is no cleanup
done at this point.  Things just kind of fall through.

I think this might have something to do with the seg faults,
but have no way to prove it.  So far they only happen when a 
system ends up transfering large amounts of data using packets sizes
that get fragmented.  It has been happening for some time.  But, by
the time I got around to analyzing this particular seg fault, the
user went fishing.  I've got a lot of core dump files.

Thanks,

-- 
Phil Wood, cpw at ...86...





More information about the Snort-devel mailing list