[Snort-devel] SpoAlertUnixSock

Dirk Geschke Dirk_Geschke at ...802...
Wed Sep 5 03:58:06 EDT 2001


I looked at the source code to anlalyze a segmentation fault with
alerts via unix sockets. There seems to be a problem in the subroutine

First it is checked if p is a valid packet (no NULL pointer).

If not, there is an assignment

Up to here it is not really a problem, but then

    /* some data which will help monitoring utility to dissect packet */
    if(!(alertpkt.val & NOPACKET_STRUCT) || !p->iph) 

If p is a NULL pointer, the fist statement will return a false and the
second is checked. But dereferencing a NULL pointer with p->iph will
result in a segmentation fault.

I think a better way would be to change the 'if' statement to

  if (p && p->iph) { ...

BTW: I think an extension of the struct Alerpkt by the Event structure
would be a nice idea. This way the event could be part of the alerpkt
and be written to the socket too. This gives the ability to check things
like the priority within the socket server.


Dirk Geschke
| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |

More information about the Snort-devel mailing list