[Snort-devel] Snort 1.8.3 SIGSEGV in spo_database.c

roman at ...49... roman at ...49...
Sat Jan 12 08:30:05 EST 2002


Try this patch.

Roman

> 
> That is the same bug as I was discussing on snort-admin(?) before. Jed
> was going to come up with patches to comit, but I don't remember if he
> send them over. Basically the problem is with referincing p, p->ip,
> p->tcp, etc structures without validating them aprior. ARP detection
> module will set p->ip and the rest to NULL (due to our convention)
> which breaks database plugins here. I could commit a trivial fix here
> though, if Jed and guys are all right that I touch the code which they
> maintain :-)
> 
> On Sat, Jan 12, 2002 at 12:22:03AM -0500, Martin Roesch wrote:
> > Hi Chris,
> >      Thanks for the detailed bug report.  Crashes in the DB code usually
> > go to the DB guys, Jed Pickel and Roman Danyliw.  They hang on this
> > list, so they should see this message.  Jed?  Roman?
> > 
> >      -Marty
> > 
> > Chris Keladis wrote:
> > > 
> > > Hi Marty,
> > > 
> > > Firstly, the system details:
> > > 
> > > CPU: Intel Pentium III (Coppermine)
> > > Red Hat Linux release 6.1 (Cartman)
> > > Linux ids2 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown
> > > snort-1.8.3-5snort (RPM rebuilt from the Snort SRPM on the same machine)
> > > (Snort+MySQL)
> > > libpcap-0.6.2-9 (RPM rebuilt from libpcap SRPM on the same machine)
> > > 
> > > 'snort -V':
> > > 
> > > -*> Snort! <*-
> > > Version 1.8.3 (Build 88)
> > > By Martin Roesch (roesch at ...402..., www.snort.org)
> > > 
> > > Problem Description:
> > > 
> > > After running for a few minutes Snort dies with a SIGSEGV.
> > > 
> > > Running Snort from within GDB outputs:
> > > 
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0x805d76b in Database (p=0xbffff6c0,
> > >     msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
> > >     arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
> > > 992                          p->iph->ip_proto, ntohs(p->iph->ip_csum));
> > > (gdb) where
> > > #0  0x805d76b in Database (p=0xbffff6c0,
> > >     msg=0x8088a00 "Ethernet source/ARP sender address mismatch",
> > >     arg=0x80d85b0, event=0xbffff674) at ../../spo_database.c:992
> > > #1  0x8055791 in CallAlertPlugins (p=0xbffff6c0,
> > >     message=0x8088a00 "Ethernet source/ARP sender address mismatch",
> > > args=0x0,
> > >     event=0xbffff674) at ../../rules.c:3632
> > > #2  0x8055727 in CallAlertFuncs (p=0xbffff6c0,
> > >     message=0x8088a00 "Ethernet source/ARP sender address mismatch",
> > > head=0x0,
> > >     event=0xbffff674) at ../../rules.c:3604
> > > #3  0x807680e in ARPspoofPreprocFunction (p=0xbffff6c0)
> > >     at ../../spp_arpspoof.c:262
> > > #4  0x80555f3 in Preprocess (p=0xbffff6c0) at ../../rules.c:3508
> > > #5  0x804ab1a in ProcessPacket (user=0x0, pkthdr=0xbffffb6c,
> > > pkt=0x80b4360 "")
> > >     at ../../snort.c:536
> > > #6  0x4002a9f6 in pcap_read_packet (handle=0x80b3ae0,
> > >     callback=0x804aa20 <ProcessPacket>, userdata=0x0) at
> > > ./pcap-linux.c:587
> > > #7  0x4002a7f0 in pcap_read (handle=0x80b3ae0, max_packets=-1,
> > >     callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap-linux.c:358
> > > #8  0x4002ba0f in pcap_loop (p=0x80b3ae0, cnt=-1,
> > >     callback=0x804aa20 <ProcessPacket>, user=0x0) at ./pcap.c:79
> > > #9  0x804c083 in InterfaceThread (arg=0x0) at ../../snort.c:1663
> > > #10 0x804aa11 in main (argc=15, argv=0xbffffcd4) at ../../snort.c:469
> > > 
> > > Background:
> > > 
> > > A colleague is playing with Windows network load-balancing features on
> > > the network segment of the Snort sensor, and i notice it causes Snort to
> > > SIGSEGV every time an ARP is generated that has to do with their LB.
> > > 
> > > FYI - The traffic is mirrored to the Snort sensor from 2 x Cisco
> > > switches.
> > > 
> > > Arpwatch is also running on the IDS box and says in /var/log/messages
> > > (they coincide with Snort dying):
> > > 
> > > Jan 12 14:17:00 localhost arpwatch: ethernet mismatch xx.xx.xx.50
> > > 2:3:ac:10:63:32 (2:bf:ac:10:63:32)
> > > Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
> > > 2:1:ac:10:63:32 (2:bf:ac:10:63:32)
> > > Jan 12 14:19:09 localhost arpwatch: ethernet mismatch xx.xx.xx.55
> > > 2:1:ac:10:63:32 (2:bf:ac:10:63:32)
> > > Jan 12 14:20:20 localhost arpwatch: ethernet mismatch xx.xx.xx.53
> > > 2:3:ac:10:63:32 (2:bf:ac:10:63:32)
> > > 
> > > And apparently this is what an "ethernet mismatch" is:
> > > 
> > > ethernet mismatch
> > >        The  source  mac  ethernet  address  didn't  match  the
> > >        address inside the arp packet.
> > > 
> > > Here's a tcpdump of a suspect ARP packet:
> > > 
> > > 14:24:35.169358 B arp who-has xx.xx.xx.55 tell xx.xx.xx.251
> > > 14:24:35.169483 P arp reply xx.xx.xx.55 (2:bf:ac:10:63:32) is-at
> > > 2:bf:ac:10:63:32 (0:d0:b7:a7:d4:da)
> > > 
> > > I don't know enough about Windows LB to comment on if what it's doing is
> > > a violation of protocol, or if my colleague missconfigured it, however
> > > it did  crash Snort.
> > > 
> > > It seems Snort (spp_arpspoof) picked up the mismatch but something
> > > caused it to SIGSEGV within spo_database (Database() - line 992).
> > > 
> > > I've been doing some poking about the packet structures and have my own
> > > thoughts on what the problem is, but i wont obscure this problem report
> > > with my guesses :)
> > > 
> > > If you need me to print out the values of the packet struct i can do it.
> > > The problem is easially reproducible.
> > > 
> > > Also - i connected to the anonymous CVS and co'ed the snort tree, but
> > > noticed i got build 88, as was in snort-daily.tar.gz .. I thought the
> > > latest was build 90 where you fixed the "Sinbad crash" ? Should i be
> > > connecting to another (anonymous) repository to get development builds?
> > > 
> > > I'd appreciate your thoughts & advice.
> > > 
> > > Regards,
> > > 
> > > Chris.
> > > 
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > 
> > --
> > Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
> > Sourcefire: Professional Snort Sensor and Management Console appliances
> > roesch at ...402... - http://www.sourcefire.com  
> > Snort: Open Source Network IDS - http://www.snort.org
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> -- 
> http://www.notlsd.net
> PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: spo_database.c.no_ip.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020112/e4b10981/attachment.ksh>


More information about the Snort-devel mailing list