[Snort-devel] Crash in spo_xml

william.c.gercken at ...350... william.c.gercken at ...350...
Mon Jun 18 13:32:40 EDT 2001


Testing the new XML changes in 1.8-beta6 build 26 snort crashes in snml().

My output processor config:

output xml: alert, file=alert_xml detail=full

The segV:

Program received signal SIGSEGV, Segmentation fault.
0x8063366 in snml (d=0x80c18d0, p=0xbffff670,
    msg=0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
    event=0xbffff480) at spo_xml.c:1545
1545           ds_ptr = (ReferenceData
*)otn_tmp->ds_list[PLUGIN_REFERENCE_NUMBE
R];


The back trace:

#0  0x8063366 in snml (d=0x80c18d0, p=0xbffff670,
    msg=0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
    event=0xbffff480) at spo_xml.c:1545
#1  0x8061a78 in LogXml (p=0xbffff670,
    msg=0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
    arg=0x80c18d0, event=0xbffff480) at spo_xml.c:511
#2  0x80558a0 in CallAlertPlugins (p=0xbffff670,
    message=0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
    args=0x0, event=0xbffff480) at rules.c:3511
#3  0x806fc9d in LogInvalid (p=0xbffff670) at spp_unidecode.c:560
#4  0x806f957 in GetNextChar (
    Buff=0x80ae936 "%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8g%03%22%5B
[-]UR2%5FUSER%5FI
D=Monroej26[-]UR2%5FLOGGED%5FIN=LEVEL2
[-]UR2%5FEXPIRETIME=Mon%2C+18%2DJun%2D2001
+20%3A17%3A33+GMT\r\n\r\n\r\n<tr><td><img alt=\"\" name=\"arrow2\" src"...,
    NextChar=0xbffff5fb "%pöÿ¿pöÿ¿/\001", p=0xbffff670) at
spp_unidecode.c:351
#5  0x806f899 in TranslateUnicode (
    InBuff=0x80ae8de "2ADS[-]UR2_USER_ID=Monroej26[-]UR2_LOGGED_IN=LEVEL2;
NS_RE
G2_LOGIN2=SHA1=A%BC\021A1=A%BC%11%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8g%03%22%5B

-]U
R2%5FUSER%5FID=Monroej26[-]UR2%5FLOGGED%5FIN=LEVEL2[-]UR2%5FEXPIR"...,
    InLength=249,
    OutBuff=0x80ae8de "2ADS[-]UR2_USER_ID=Monroej26[-]UR2_LOGGED_IN=LEVEL2;
NS_R
EG2_LOGIN2=SHA1=A%BC\021A1=A%BC%11%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8g%03%22%5B

-]
UR2%5FUSER%5FID=Monroej26[-]UR2%5FLOGGED%5FIN=LEVEL2[-]UR2%5FEXPIR"...,
    InLength=249,
    OutBuff=0x80ae8de "2ADS[-]UR2_USER_ID=Monroej26[-]UR2_LOGGED_IN=LEVEL2;
NS_R
EG2_LOGIN2=SHA1=A%BC\021A1=A%BC%11%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8g%03%22%5B

-]
UR2%5FUSER%5FID=Monroej26[-]UR2%5FLOGGED%5FIN=LEVEL2[-]UR2%5FEXPIR"...,
    OutLength=249, p=0xbffff670) at spp_unidecode.c:304
#6  0x806f761 in UPreprocUrlDecode (p=0xbffff670) at spp_unidecode.c:227
#7  0x8055722 in Preprocess (p=0xbffff670) at rules.c:3422
#8  0x804b223 in ProcessPacket (user=0x0, pkthdr=0xbffffb10,
    pkt=0x80ae8a8 "\b") at snort.c:509
#9  0x807202c in pcap_read_packet ()
#10 0x8072db7 in pcap_loop ()
#11 0x804c4e7 in InterfaceThread (arg=0x0) at snort.c:1385
#12 0x804b0ef in main (argc=7, argv=0xbffffcc4) at snort.c:442
#13 0x40154b65 in __libc_start_main (main=0x804aaac <main>, argc=7,
    ubp_av=0xbffffcc4, init=0x8049f9c <_init>, fini=0x807b05c <_fini>,
    rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffffcbc)
    at ../sysdeps/generic/libc-start.c:111

Misc:

(gdb) print *ds_ptr
$1 = {system = 0x0, id = 0x2 <Address 0x2 out of bounds>,
  url = 0x849c8e8 "signature", next = 0x849c890}
(gdb) print *event
$2 = {sig_generator = 110, sig_id = 4, sig_rev = 1, classification = 0,
  priority = 0, event_reference = 1}

(gdb) print (ReferenceData*)otn_tmp->ds_list[20]
Cannot access memory at address 0x54
(gdb) print *otn_tmp
Cannot access memory at address 0x0
(gdb) print otn_tmp
$3 = (OptTreeNode *) 0x0

Anyone have time to look at this?

Thanks.
-bill







More information about the Snort-devel mailing list