[Snort-devel] Snort 1.8.3 SIGSEGV in spo_database.c

Fyodor fygrave at ...1...
Sat Jan 12 03:36:04 EST 2002


That is the same bug as I was discussing on snort-admin(?) before. Jed
was going to come up with patches to comit, but I don't remember if he
send them over. Basically the problem is with referincing p, p->ip,
p->tcp, etc structures without validating them aprior. ARP detection
module will set p->ip and the rest to NULL (due to our convention)
which breaks database plugins here. I could commit a trivial fix here
though, if Jed and guys are all right that I touch the code which they
maintain :-)

On Sat, Jan 12, 2002 at 12:22:03AM -0500, Martin Roesch wrote:
> Hi Chris,
>      Thanks for the detailed bug report.  Crashes in the DB code usually
> go to the DB guys, Jed Pickel and Roman Danyliw.  They hang on this
> list, so they should see this message.  Jed?  Roman?
> 
>      -Marty
> 
> Chris Keladis wrote:
> > 
> > Hi Marty,
> > 
> > Firstly, the system details:
> > 
> > CPU: Intel Pentium III (Coppermine)
> > Red Hat Linux release 6.1 (Cartman)
> > Linux ids2 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown
> > snort-1.8.3-5snort (RPM rebuilt from the Snort SRPM on the same machine)
> > (Snort+MySQL)
> > libpcap-0.6.2-9 (RPM rebuilt from libpcap SRPM on the same machine)
> > 
> > 'snort -V':
> > 
> > -*> Snort! <*-
> > Version 1.8.3 (Build 88)
> > By Martin Roesch (roesch at ...402..., www.snort.org)
> > 
> > Problem Description:
> > 
> > After running for a few minutes Snort dies with a SIGSEGV.
> > 
> > Running Snort from within GDB outputs:
> > 
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x805d76b in Database (p=0xbffff6c0,
> >     msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
> >     arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
> > 992                          p->iph->ip_proto, ntohs(p->iph->ip_csum));
> > (gdb) where
> > #0  0x805d76b in Database (p=0xbffff6c0,
> >     msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
> >     arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
> > #1  0x8055791 in CallAlertPlugins (p=0xbffff6c0,
> >     message=0x8088a00 "Ethernet source/ARP sender address mismatch",
> > args=0x0,
> >     event=0xbffff674) at ../../rules.c:3632
> > #2  0x8055727 in CallAlertFuncs (p=0xbffff6c0,
> >     message=0x8088a00 "Ethernet source/ARP sender address mismatch",
> > head=0x0,
> >     event=0xbffff674) at ../../rules.c:3604
> > #3  0x807680e in ARPspoofPreprocFunction (p=0xbffff6c0)
> >     at ../../spp_arpspoof.c:262
> > #4  0x80555f3 in Preprocess (p=0xbffff6c0) at ../../rules.c:3508
> > #5  0x804ab1a in ProcessPacket (user=0x0, pkthdr=0xbffffb6c,
> > pkt=0x80b4360 "")
> >     at ../../snort.c:536
> > #6  0x4002a9f6 in pcap_read_packet (handle=0x80b3ae0,
> >     callback=0x804aa20 <ProcessPacket>, userdata=0x0) at
> > ./pcap-linux.c:587
> > #7  0x4002a7f0 in pcap_read (handle=0x80b3ae0, max_packets=-1,
> >     callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap-linux.c:358
> > #8  0x4002ba0f in pcap_loop (p=0x80b3ae0, cnt=-1,
> >     callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap.c:79
> > #9  0x804c083 in InterfaceThread (arg=0x0) at ../../snort.c:1663
> > #10 0x804aa11 in main (argc=15, argv=0xbffffcd4) at ../../snort.c:469
> > 
> > Background:
> > 
> > A colleague is playing with Windows network load-balancing features on
> > the network segment of the Snort sensor, and i notice it causes Snort to
> > SIGSEGV every time an ARP is generated that has to do with their LB.
> > 
> > FYI - The traffic is mirrored to the Snort sensor from 2 x Cisco
> > switches.
> > 
> > Arpwatch is also running on the IDS box and says in /var/log/messages
> > (they coincide with Snort dying):
> > 
> > Jan 12 14:17:00 localhost arpwatch: ethernet mismatch xx.xx.xx.50
> > 2:3:ac:10:63:32 (2:bf:ac:10:63:32)
> > Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
> > 2:1:ac:10:63:32 (2:bf:ac:10:63:32)
> > Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
> > 2:1:ac:10:63:32 (2:bf:ac:10:63:32)
> > Jan 12 14:20:20 localhost arpwatch: ethernet mismatch xx.xx.xx.53
> > 2:3:ac:10:63:32 (2:bf:ac:10:63:32)
> > 
> > And apparently this is what an "ethernet mismatch" is:
> > 
> > ethernet mismatch
> >        The  source  mac  ethernet  address  didn't  match  the
> >        address inside the arp packet.
> > 
> > Here's a tcpdump of a suspect ARP packet:
> > 
> > 14:24:35.169358 B arp who-has xx.xx.xx.55 tell xx.xx.xx.251
> > 14:24:35.169483 P arp reply xx.xx.xx.55 (2:bf:ac:10:63:32) is-at
> > 2:bf:ac:10:63:32 (0:d0:b7:a7:d4:da)
> > 
> > I don't know enough about Windows LB to comment on if what it's doing is
> > a violation of protocol, or if my colleague missconfigured it, however
> > it did  crash Snort.
> > 
> > It seems Snort (spp_arpspoof) picked up the mismatch but something
> > caused it to SIGSEGV within spo_database (Database() - line 992).
> > 
> > I've been doing some poking about the packet structures and have my own
> > thoughts on what the problem is, but i wont obscure this problem report
> > with my guesses :)
> > 
> > If you need me to print out the values of the packet struct i can do it.
> > The problem is easially reproducible.
> > 
> > Also - i connected to the anonymous CVS and co'ed the snort tree, but
> > noticed i got build 88, as was in snort-daily.tar.gz .. I thought the
> > latest was build 90 where you fixed the "Sinbad crash" ? Should i be
> > connecting to another (anonymous) repository to get development builds?
> > 
> > I'd appreciate your thoughts & advice.
> > 
> > Regards,
> > 
> > Chris.
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> --
> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...402... - http://www.sourcefire.com  
> Snort: Open Source Network IDS - http://www.snort.org
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-devel mailing list