[Snort-devel] Snort Reassembly Plugin Bug?

Marc Christian Necker marc at ...427...
Mon Jun 11 11:20:57 EDT 2001

Hello all,

Looking at spp_tcp_stream3.c, I wonder if the following code is correct:

In procedure TcpStream3StoreData, lines 942 - 979:
performing insertion sort for server-packet

In line 946 (before the while-loop), it is checked if pdata->seq is less than
cur->seq. In line 962 (in the while-loop) it is checked if pdata->seq is
greater or equal than cur-seq. When entering the while-loop of line 960 the
"greater equal"-check is performed on the same pointer "cur" as the
"less"-check before the while-loop. Thus, one of the two checks is true, and
it seems to me as if the whole while-loop is pointless (either program flow
does not enter while-loop, or it is done within one loop).

I don't have snort running on any machine, so I can't verify this. Maybe
someone can have a look into it. Also, I had trouble checking out the latest
cvs today, so maybe my line-numbers vary.

I'm going through the code because I am currently interested in how snort
handles received overlapping data. I'd appreciate if someone could tell me
how it is supposed to do that (i.e. if later arriving data overwrites
already buffered data or vice versa).

Cheers - Marc
EMail: marc at ...427...

More information about the Snort-devel mailing list