[Snort-devel] now a crash in spp_tcp_stream3

Steve Halligan agent33 at ...269...
Mon May 14 12:59:08 EDT 2001


The saga continues, I still have it sitting in gdb if anyone needs more
data.
CVS from 30 min ago:
Program received signal SIGSEGV, Segmentation fault.
TcpStream3FillBuffer (sptr=0x5a5800, buf=0x5b103c "", psize=20000, server=1)
at spp_tcp_stream3.c:1391
1391        first_seq = pdata->seq;

(gdb) bt
#0  TcpStream3FillBuffer (sptr=0x5a5800, buf=0x5b103c "", psize=20000,
server=1) at spp_tcp_stream3.c:1391
#1  0x39ea3 in TcpStream3PruneSession (key=-1161607600, sptr=0x5a5800) at
spp_tcp_stream3.c:1240
#2  0x39d1c in TcpStream3PruneTree (nodeptr=0x596ae0, p=0xdfbfd5d8) at
spp_tcp_stream3.c:1178
#3  0x38ea0 in TcpStream3Packet (p=0xdfbfd5d8) at spp_tcp_stream3.c:432
#4  0x10bff in Preprocess (p=0xdfbfd5d8) at rules.c:3358
#5  0x21cd in ProcessPacket (user=0x0, pkthdr=0x73244, pkt=0x73256 "") at
snort.c:509
#6  0x40071151 in pcap_read ()
#7  0x400825a7 in pcap_loop ()
#8  0x496e in InterfaceThread (arg=0x0) at snort.c:1385
#9  0x20b8 in main (argc=5, argv=0xdfbfdb64) at snort.c

> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...402...]
> Sent: Saturday, May 12, 2001 5:01 PM
> To: Todd Lewis
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] now a crash in spp_tcp_stream3
> 
> 
> I've been playing with it.  AVL nodes are being allocated and 
> popped off
> the tree properly, nothing's hanging around.  I've been 
> seeing "snort in
> free(): warning: chunk is already free." warning messages in
> TcpStream3PruneSession() where it frees the sptr near the 
> bottom of the
> function.  I think memory is getting stomped someplace and I can't
> figure out where.  I've been seeing occaisional crashes in
> TcpStream3FillBuffer() where the sptr is completely hosed (sp 
> and cp set
> to 0 or something improbable, c_stream_size at 0 but c_count 
> at 17000+,
> etc).  
> 
> Here's my latest run:
> Starting dump at: Sat May 12 17:11:36 2001
> 
> ==========================================
> Session 0, Sat May 12 17:11:24 2001
> 
> [s_count: 7  s_size: 79]
> [c_count: 5  c_size: 9]
> ==========================================
> 
> Starting dump at: Sat May 12 17:11:52 2001
> 
> ==========================================
> Session 0, Sat May 12 17:11:24 2001
> 
> [s_count: 7  s_size: 79]
> [c_count: 25  c_size: 40]
> ==========================================
> 
> Starting dump at: Sat May 12 17:13:55 2001
> 
> ==========================================
> ==========================================
> 
> Starting dump at: Sat May 12 17:15:26 2001
> 
> ==========================================
> Session 4, Sat May 12 17:15:25 2001
> 
> [s_count: 0  s_size: 0]
> [c_count: 1  c_size: 494]
> Session 2, Sat May 12 17:15:25 2001
> 
> [s_count: 2  s_size: 0]
> [c_count: 0  c_size: 0]
> Session 6, Sat May 12 17:15:25 2001
> 
> [s_count: 1  s_size: 0]
> [c_count: 0  c_size: 0]
> ==========================================
> 
> Starting dump at: Sat May 12 17:17:52 2001
> 
> ==========================================
> Session 4, Sat May 12 17:15:25 2001
> 
> [s_count: 0  s_size: 0]
> [c_count: 0  c_size: 0]
> Session 2, Sat May 12 17:15:25 2001
> 
> [s_count: 2  s_size: 0]
> [c_count: 0  c_size: 0]
> Session 6, Sat May 12 17:15:25 2001
> 
> [s_count: 1  s_size: 0]
> [c_count: 0  c_size: 0]
> ==========================================
> 
> 
> 
> Todd Lewis wrote:
> > 
> > BTW, if anyone else is not having the problem I reported, then could
> > you please apply the patch, run some traffic through snort, send it
> > SIGUSR2 every minute or so until the memory leak is good 
> and visible,
> > and send me back the resulting file stream3_leak_finder.log?
> > 
> > --
> > Todd Lewis
> > tlewis at ...255...
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> --
> Martin Roesch
> roesch at ...402...
> http://www.sourcefire.com - http://www.snort.org
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list