[Snort-devel] bug

Roman Danyliw roman at ...49...
Mon Aug 12 11:14:05 EDT 2002


Jonathan,

If you still have that core file lying around, please:

(gdb) up
(gdb) print p->dsize

I agree with your observation that it must be an unchecked buffer, probably in
fasthex(), but I was unable to locate it.  I know this problem is intermittent,
but capturing a sample packet would really helpful.  I don't know if this
machine is in production, so lets not fool with it.  However, could you
configure another instance of snort to moniter the same interface, with an
identical pre-processor configuration, but take out all the rules other than
"MISC Large UDP packet".  Likewise, make this test instance of Snort log to
tcpdump.  When you have something, please send it to me.

I missed what version of snort are you using?

Roman

On Thu, 25 Jul 2002 18:06:30 -0500 (CDT), Jonathan <rakocy at ...1503...> wrote :

> There seems to be a unchecked buffer in spo_database.c or plugbase.c.  I
> can not reproduce the error but it has been happening frequently.  I do
> have a core file available.  Gdb says there is a seg fault.  Currently we
> are going to give a shot at checking the calloc call and not inserting the
> payload into the db if its too big. Hopefully this will help. 
>   
> Thanks,
> 
> ~Jonathan Rakocy
> Computer Systems Lab
> UW Madison C.S.
> 
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-unknown-openbsd3.1"...
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/libexec/ld.so...done.
> Reading symbols from /usr/lib/libpcap.so.1.2...done.
> Reading symbols from /usr/lib/libm.so.0.1...done.
> Reading symbols from /usr/local/lib/libpq.so.2.1...done.
> Reading symbols from /usr/lib/libc.so.28.3...done.
> Reading symbols from /usr/lib/libssl.so.5.1...done.
> Reading symbols from /usr/lib/libcrypto.so.5.1...done.
> #0  0x168ad in fasthex (
>     xdata=0x9302a
>
"\021233.2.171.1:56464\025lab at ...1504...\016128.105.162.21\005Linux\0162.4.18-csl2smp\004i386\0051.4.0\034beacon at ...1505...\r1027634188446\005128.0\0032.2\0040.02\0030.0\0030.0\035beacon at ...1506...\r1027634188519\00461"...,
> length=6871) at plugbase.c:1237
> 1237            *ridx++ = conv[((*index & 0xFF)>>4)];
> 
> what we were able to find is that a very large UDP packet
> (multicasting) got shredded in an attempt to put it inthe database. 
> 
> here is the backtrace:
> (gdb) bt
> #0  0x168ad in fasthex (
>     xdata=0x9302a
>
"\021233.2.171.1:56464\025lab at ...1504...\016128.105.162.21\005Linux\0162.4.18-csl2smp\004i386\0051.4.0\034beacon at ...1505...\r1027634188446\005128.0\0032.2\0040.02\0030.0\0030.0\035beacon at ...1506...\r1027634188519\00461"...,
> length=6871) at plugbase.c:1237
> #1  0x20b53 in Database (p=0xdfbfcc58, msg=0x62c4a0 "MISC Large UDP
> Packet", 
>     arg=0x83500, event=0x635824) at spo_database.c:1090
> #2  0x13a89 in CallLogFuncs (p=0xdfbfcc58, 
>     message=0x62c4a0 "MISC Large UDP Packet", head=0x62f98,
> event=0x635824)
>     at rules.c:3596
> #3  0x14e4e in AlertAction (p=0xdfbfcc58, otn=0x635000, event=0x635824)
>     at rules.c:5083
> #4  0x13f4b in EvalHeader (rtn_idx=0xb6e00, p=0xdfbfcc58) at rules.c:3917
> #5  0x13e0c in EvalPacket (List=0x62f98, mode=2, p=0xdfbfcc58) at
> rules.c:3815
> #6  0x13c5e in Detect (p=0xdfbfcc58) at rules.c:3708
> #7  0x139ff in Preprocess (p=0xdfbfcc58) at rules.c:3551
> #8  0x2209 in ProcessPacket (user=0x0, pkthdr=0x78b30, pkt=0x93000 "")
>     at snort.c:548
> #9  0x4220f in RebuildFrag (ft=0x3fec4900, p=0xdfbfd1b8) at
> spp_frag2.c:770
> #10 0x41b18 in Frag2Defrag (p=0xdfbfd1b8) at spp_frag2.c:494
> #11 0x139e3 in Preprocess (p=0xdfbfd1b8) at rules.c:3545
> #12 0x2209 in ProcessPacket (user=0x0, pkthdr=0x89cdc, pkt=0x89cee "")
>     at snort.c:548
> #13 0x40067155 in pcap_read ()
> #14 0x40067767 in pcap_loop ()
> #15 0x50ce in InterfaceThread (arg=0x0) at snort.c:1681
> #16 0x20f1 in main (argc=9, argv=0xdfbfd750) at snort.c:478
> (gdb) 
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 
> 
> 




More information about the Snort-devel mailing list