[Snort-devel] COREdump of snort on a Dual i586 233MMX

roman at ...49... roman at ...49...
Wed Oct 3 06:57:02 EDT 2001


Try this patch to spo_database.c.
 
Looks like p->iph was not checked for NULL before trying to
verify what layer-4 protocol was being used.  In this case, no layer-4
decode was done.  Curious as to why this has not come up before.

Roman

On Wed, 3 Oct 2001, Dennis Fleurbaaij wrote:

> Hi,
> 
> I'm running snort on my home-firewall but it tends to coredump all over 
> the place on my i386. The version in this trace here is 1.8.1-RELEASE
> but the CVS version dumps even worse so I assume that the problem is not 
> yet fixed.
> 
> I run snort with a postresql database.
> 
> (NOTE: the logging to the db doesn't work unless I compile snort 1.8.1 
> without the -O2 option, any ideas on this one please mail me,
> the CVS versing works okay though when logging though)
> 
> So I won't keep you in suspense much longer, here it is:
> 
> [root at ...857... test]# gdb -c core /software/snort-1.8.1-RELEASE/snort   
> GNU gdb 5.0rh-5 Red Hat Linux 7.1
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain 
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux"...
> Core was generated by `snort -p -c /etc/snort/snort.conf -D'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /usr/lib/libpq.so.2...done.
> Loaded symbols for /usr/lib/libpq.so.2
> Reading symbols from /usr/lib/libssl.so.1...done.
> Loaded symbols for /usr/lib/libssl.so.1
> Reading symbols from /usr/lib/libcrypto.so.1...done.
> Loaded symbols for /usr/lib/libcrypto.so.1
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/libcrypt.so.1...done.
> Loaded symbols for /lib/libcrypt.so.1
> Reading symbols from /lib/libresolv.so.2...done.
> Loaded symbols for /lib/libresolv.so.2
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Reading symbols from /lib/libnss_nisplus.so.2...done.
> Loaded symbols for /lib/libnss_nisplus.so.2
> Reading symbols from /lib/libnss_dns.so.2...done.
> Loaded symbols for /lib/libnss_dns.so.2
> #0  0x08065725 in Database (p=0xbffff360,
>     msg=0x80a7900 "Ethernet destination/ARP target address mismatch", 
> arg=0x810cd18, event=0xbffff300)
>     at spo_database.c:823
> 823                if(p->iph->ip_proto == IPPROTO_ICMP && p->icmph)
> (gdb)
> 
> 
> We can seen that it has something to so with the database driver ( 
> spo_database.c ). The comment above that line is:
> 
> /* query = NewQueryNode(query, 0); */
> 
> Which kindof leadse me to beleave that i'm wrinting to NULL (or even 
> worse a stray pointer) here. In anycase if someone who wants
> to help and _CAN_ help is interested, a shell to the machine is 
> available... Or if you're lazy just give me a clue to why this happens
> and I'll code it myself.
> 
> Greets and tnx for the (usually) kewl software,
>   - Dennis Fleurbaaij
> 
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: db.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20011003/ced9e9e7/attachment.ksh>


More information about the Snort-devel mailing list