[Snort-devel] SpoAlertUnixSock

Fyodor fygrave at ...1...
Wed Sep 5 12:12:09 EDT 2001


On Wed, Sep 05, 2001 at 12:57:20PM +0200, Dirk Geschke wrote:
> Hi,
> 
> I looked at the source code to anlalyze a segmentation fault with
> alerts via unix sockets. There seems to be a problem in the subroutine
> SpoAlertUnixSock.
> 
> First it is checked if p is a valid packet (no NULL pointer).
> 
> If not, there is an assignment
>    
>       alertpkt.val|=NOPACKET_STRUCT
> 
> Up to here it is not really a problem, but then
> 
>     /* some data which will help monitoring utility to dissect packet */
>     if(!(alertpkt.val & NOPACKET_STRUCT) || !p->iph) 
> 
> If p is a NULL pointer, the fist statement will return a false and the
> second is checked. But dereferencing a NULL pointer with p->iph will
> result in a segmentation fault.
> 
> I think a better way would be to change the 'if' statement to
> 
>   if (p && p->iph) { ...
> 

yup.. a bit brain-damaged code indeed. :) Fixed. :-p

> BTW: I think an extension of the struct Alerpkt by the Event structure
> would be a nice idea. This way the event could be part of the alerpkt
> and be written to the socket too. This gives the ability to check things
> like the priority within the socket server.
> 

Yup. Committed. :) Just haven't seen many people using unix socket
feature until recent times, so the code hasn't been maintained much :)
-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-devel mailing list