[Snort-devel] (no subject)

Bit Stream bitstream01 at ...445...
Tue Mar 26 08:31:02 EST 2002


I apologize if this is known.  I've looked at the mailing list, forums, bug 
database, and CVS tree, and I don't see a fix anywhere.  That seemed pretty 
thorough, so I'm guessing this is new.

I had a series of crashes last night in ConvertRPC that seem related to some 
bad assumptions about RPC packet length.

This is snort 1.8.4 build 99 on Solaris 2.8.  Here's the stack
trace:

Current function is ConvertRPC
  277       }
(dbx) where
=>[1] ConvertRPC(data = 0xc37b4 "", size = 20U), line 277 in 
"spp_rpc_decode.c"
  [2] PreprocRpcDecode(p = 0xffbef760), line 199 in "spp_rpc_decode.c"
  [3] Preprocess(p = 0xffbef760), line 3539 in "rules.c"
  [4] ProcessPacket(user = (nil), pkthdr = 0xb4400, pkt = 0xc3772 ""), line 
548
in "snort.c"
  [5] pcap_read(0xc24c0, 0xffffffff, 0x1c16c, 0x0, 0xffbefd48, 0x7b985d), at
0x51f80
  [6] pcap_loop(0xc24c0, 0xffffffff, 0x1c16c, 0x0, 0xb5290, 0xffbefd48), at
0x52bb4
  [7] InterfaceThread(arg = 0xb45ec), line 1681 in "snort.c"
  [8] main(argc = 738796, argv = 0xffbefe5c), line 478 in "snort.c"

and a variable dump:

index = 0xc37c7 "\x"
end = 0xc37c8 "\x"
total_len = 15
data = 0xc37b4 ""
length = 0
rpc = 0xc37c7 "\x"
size = 20U

and finally the relevant chunk of memory:

0x000c37b4:      0x0000000f 0x7dbffd9d 0xa6a94099 0x923307fc
0x000c37c4:      0x020a3098

The bug manifests itself as:

program terminated by signal BUS (invalid address alignment)
Current function is ConvertRPC
  277       }

My analysis of this bug is that ConvertRPC expects that length will be a 
multiple of 4 bytes, and gets into trouble when the } on 277 return it to 
the cast on line 257:

        hdrptr = (int *) index;

At this point in the code for the packet data shown above, the index pointer 
is at 0xc37c7 and is not aligned when cast to a 32bit integer.  By the way, 
I noted a few locations in this function where uint_32t is used synonymously 
with int (such as this line), which you might also want to patch.

I am not sure I fully understand the point of this function, as it also 
seems to me that the assignment operation on line 276 is meaningless:

                *rpc = *index;

since rpc and index point to the same thing.

Anyway, I hit this in the wild a few times yesterday and it seems that 
anyone with the ability to generate arbitrary RPC packets can crash snort, 
so you might want to fix this.  I would propose my own fix, but I don't know 
RPC or snort well enough to know what the right thing to do is.

Eric

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-devel mailing list