[Snort-devel] COREdump of snort on a Dual i586 233MMX
roman at ...49...
roman at ...49...
Wed Oct 3 06:57:02 EDT 2001
Try this patch to spo_database.c.
Looks like p->iph was not checked for NULL before trying to
verify what layer-4 protocol was being used. In this case, no layer-4
decode was done. Curious as to why this has not come up before.
On Wed, 3 Oct 2001, Dennis Fleurbaaij wrote:
> I'm running snort on my home-firewall but it tends to coredump all over
> the place on my i386. The version in this trace here is 1.8.1-RELEASE
> but the CVS version dumps even worse so I assume that the problem is not
> yet fixed.
> I run snort with a postresql database.
> (NOTE: the logging to the db doesn't work unless I compile snort 1.8.1
> without the -O2 option, any ideas on this one please mail me,
> the CVS versing works okay though when logging though)
> So I won't keep you in suspense much longer, here it is:
> [root at ...857... test]# gdb -c core /software/snort-1.8.1-RELEASE/snort
> GNU gdb 5.0rh-5 Red Hat Linux 7.1
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux"...
> Core was generated by `snort -p -c /etc/snort/snort.conf -D'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /usr/lib/libpq.so.2...done.
> Loaded symbols for /usr/lib/libpq.so.2
> Reading symbols from /usr/lib/libssl.so.1...done.
> Loaded symbols for /usr/lib/libssl.so.1
> Reading symbols from /usr/lib/libcrypto.so.1...done.
> Loaded symbols for /usr/lib/libcrypto.so.1
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/libcrypt.so.1...done.
> Loaded symbols for /lib/libcrypt.so.1
> Reading symbols from /lib/libresolv.so.2...done.
> Loaded symbols for /lib/libresolv.so.2
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Reading symbols from /lib/libnss_nisplus.so.2...done.
> Loaded symbols for /lib/libnss_nisplus.so.2
> Reading symbols from /lib/libnss_dns.so.2...done.
> Loaded symbols for /lib/libnss_dns.so.2
> #0 0x08065725 in Database (p=0xbffff360,
> msg=0x80a7900 "Ethernet destination/ARP target address mismatch",
> arg=0x810cd18, event=0xbffff300)
> at spo_database.c:823
> 823 if(p->iph->ip_proto == IPPROTO_ICMP && p->icmph)
> We can seen that it has something to so with the database driver (
> spo_database.c ). The comment above that line is:
> /* query = NewQueryNode(query, 0); */
> Which kindof leadse me to beleave that i'm wrinting to NULL (or even
> worse a stray pointer) here. In anycase if someone who wants
> to help and _CAN_ help is interested, a shell to the machine is
> available... Or if you're lazy just give me a clue to why this happens
> and I'll code it myself.
> Greets and tnx for the (usually) kewl software,
> - Dennis Fleurbaaij
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
This message was sent using Voicenet WebMail.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Snort-devel