[Snort-devel] Snort snort-1.8p1 segfaults on SubSlide in ubi_BinTree.c:389

Samartha snort-inbox at ...832...
Sat Sep 22 08:18:02 EDT 2001


it looks like the btree list pointers are out of wack, the

RootPtr and access ptr P are more than 1.2 G (1 G = 10**9) apart.

Pointer P always points to the same address at crash:

gdb snort core.0920
#0  0x80760f0 in SubSlide (P=0x518b085d, whichway=0) at ubi_BinTree.c:389
gdb snort core.0921
#0  0x80760f0 in SubSlide (P=0x518b085d, whichway=0) at ubi_BinTree.c:389
gdb snort core.0921a
#0  0x80760f0 in SubSlide (P=0x518b085d, whichway=0) at ubi_BinTree.c:389


I found it impossible to run in debug mode since a huge output
was created and the program can run 6 - 12 hours until it crashes.

please advice.

Samartha

Snort segfaults on SubSlide in ubi_BinTree.c:389
Architecture: i386
OS: SuSE Linux 2.2.16
Rules used: what came with snort-1.8p1
plus added root.exe and a couple of  resp: rst_all,icmp_all;
to rules in web-iis.rules
configured with --enable-flexresp
essential changes to snort.conf are:
var HTTP_SERVERS - set to [5 IP's ]

preprocessor stream4: noalerts

it segfaults in a regular fashion:

-rw-------   1 root     root      6365184 Sep 20 23:47 core.0920
-rw-------   1 root     root      5365760 Sep 21 00:45 core.0921
-rw-------   1 root     root      5292032 Sep 21 02:00 core.0921a
-rw-------   1 root     root      6459392 Sep 21 15:41 core.0921b
-rw-------   1 root     root      5881856 Sep 21 21:44 core.0921c
-rw-------   1 root     root      5701632 Sep 22 00:10 core.0922
-rw-------   1 root     root      5767168 Sep 22 02:34 core.0922a
-rw-------   1 root     root      5210112 Sep 22 07:15 core.0922b



GDB output:

  > gdb snort core.0922
GNU gdb 4.18
...
This GDB was configured as "i386-suse-linux"...
Core was generated by `./snort -c snort.conf -p -i eth2 -d'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.1...done.
Reading symbols from /lib/libm.so.6...done.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /usr/lib/libmysqlclient.so.6...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/libcrypt.so.1...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
#0  0x80760f0 in SubSlide (P=0x518b085d, whichway=0) at ubi_BinTree.c:389
389         while( NULL != P->Link[ whichway ] )
(gdb) bt
#0  0x80760f0 in SubSlide (P=0x518b085d, whichway=0) at ubi_BinTree.c:389
#1  0x8076142 in Neighbor (P=0x8077350, whichway=2) at ubi_BinTree.c:414
#2  0x8076554 in ubi_btNext (P=0x8077350) at ubi_BinTree.c:874
#3  0x8079d7b in PruneSessionCache (thetime=1001139033, mustdie=0) at 
spp_stream4.c:2288
#4  0x8078590 in ReassembleStream4 (p=0xbffff2a8) at spp_stream4.c:1152
#5  0x80563d7 in Preprocess (p=0xbffff2a8) at rules.c:3427
#6  0x804aa10 in ProcessPacket (user=0x0, pkthdr=0xbffff75c, pkt=0x80d4552 
"") at snort.c:512
#7  0x807bcbf in pcap_read ()
#8  0x807c2fc in pcap_loop ()
#9  0x804c09b in InterfaceThread (arg=0x0) at snort.c:1441
#10 0x804a8e4 in main (argc=7, argv=0xbffff904) at snort.c:445
(gdb) p P
$1 = 0x518b085d
(gdb) p RootPtr
$2 = 0x809f044

that offset is 0x49811819, that's 1,233,197,081







More information about the Snort-devel mailing list