[Snort-devel] linux/sparc BUS ERROR [more info] - OK. on RH6.2

Martin Roesch roesch at ...402...
Tue Jan 22 14:02:07 EST 2002


That's the pointer alignment problem we've been seeing with Snort on
RedHat/Sparc for a while.  Recommendations:

1) use a different OS

2) use different hardware

3) send me a sparc with redhat on it so I can debug the problem


I'm going to see if I can recreate the problem on Solaris/Sparc, but if
I can't then there's not a whole lot I can do.

     -Marty


"Ricardo A. Gorosito" wrote:
> 
> BAD NEWS: new BUS ERROR with ICMPs >1473 bytes long (ping -s 1473
> host_ip)
> snort -v work fine,
> now, the flags with problems are:
> -u snort -g snort -d -b -i eth0 -l /var/log/snort -c
> /etc/snort/snort.conf -L snort-1.log
> /etc/snort/snort.conf is the default (with defaults rules)
> /var/log/snort is a directory owned by user snort group snort
> 
> Program received signal SIGBUS, Bus error.
> DecodeIP (pkt=0x109586 "E", len=1501, p=0xefffec68) at decode.c:1194
> 1194        if(p->iph->ip_ver != 4)
> (gdb) bt
> #0  DecodeIP (pkt=0x109586 "E", len=1501, p=0xefffec68) at
> decode.c:1194
> #1  0x1873c in DecodeEthPkt (p=0xefffec68, pkthdr=0x109560,
> pkt=0x109578 "")
>     at decode.c:85
> #2  0x10a88 in ProcessPacket (user=0x0, pkthdr=0xda800, pkt=0x109578
> "")
>     at snort.c:486
> #3  0x48348 in RebuildFrag (ft=0x4e8e08, p=0xe) at spp_frag2.c:751
> #4  0x47c74 in Frag2Defrag (p=0xeffff278) at spp_frag2.c:473
> #5  0x1e2b8 in Preprocess (p=0xeffff278) at rules.c:3508
> #6  0x10bac in ProcessPacket (user=0x0, pkthdr=0xda800, pkt=0x102b9a
> "")
>     at snort.c:536
> #7  0x492fc in pcap_read ()
> #8  0x49c5c in pcap_loop ()
> #9  0x12518 in InterfaceThread (arg=0xdab9c) at snort.c:1663
> #10 0x10a4c in main (argc=0, argv=0xeffffa84) at snort.c:469
> (gdb) info registers
> g0             0x0      0
> g1             0xefffec68       -268440472
> g2             0x0      0
> g3             0x0      0
> g4             0x18608  99848
> g5             0xbabbbcbd       -1162101571
> g6             0x0      0
> g7             0xbabb0000       -1162149888
> o0             0x0      0
> o1             0x4e8e80 5148288
> o2             0xb98    2968
> o3             0x100000 1048576
> o4             0x4e8e98 5148312
> o5             0xd57d8  874456
> sp             0xefffeb38       -268440776
> o7             0x41e2c  269868
> l0             0x4e8e50 5148240
> l1             0x0      0
> l2             0x14bf0000       348061696
> l3             0xeffff8b9       -268437319
> l4             0x2      2
> l5             0xd57b0  874416
> l6             0x0      0
> l7             0xd6494  877716
> i0             0x109586 1086854
> i1             0x5dd    1501
> i2             0xefffec68       -268440472
> i3             0xda800  894976
> i4             0x5eb    1515
> i5             0x72ebc  470716
> fp             0xefffeba0       -268440672
> i7             0x18734  100148
> y              0x5c800000       1551892480
> psr            0xff000085       -16777083       icc:----, pil:0, s:1,
> ps:0, et:0, cwp:5
> wim            0x0      0
> tbr            0x0      0
> pc             0x18fb8  102328
> npc            0x18fbc  102332
> fpsr           0x0      0       rd:N, tem:0, ns:0, ver:0, ftt:0,
> qne:0, fcc:=, aexc:0, cexc:0
> cpsr           0x0      0
> (gdb) print &p->iph->ip_src
> $1 = (struct in_addr *) 0x109592
> (gdb)
> 
> "Ricardo A. Gorosito" escribió:
> 
> > On RedHat 6.2 with ALL updates, snort -v run OK!!!.
> > RH6.2 use egcs-1.1.2 (same cc use Aurora for kernel).
> > In Slackware, with egcs 1.1.2, snort -v die with BUS ERROR.
> > Now: How can I test if it's a cc, glibc, or snort problem?.
> >
> > RH6.2 (glibc-2.1.3, kernel-2.2.19) cc: egcs-1.1.2
> > Aurora (glibc-2.2.4, kernel-2.4.17) cc: gcc-2.96-RH-102,
> > gcc-3.0.[1/2/3], gcc-3.1(snapshot)
> > Slackware (glibc-2.2.3, kernel-2.2.20pre2) cc: egcs-1.1.2,
> > gcc-2.95.3
> >
> > Thanks, Ricardo.
> >
> > --
> > Ricardo Ariel Gorosito - rgorosito at ...1077...
> >  Administración Federal de Ingresos Públicos
> >       Departamento Seguridad Informática
> >
> >
> 
> --
> Ricardo Ariel Gorosito - rgorosito at ...1077...
>  Administración Federal de Ingresos Públicos
>       Departamento Seguridad Informática
> 
> 

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list