[Snort-devel] [ snort-Bugs-535883 ] Snort crashes in ConvertRPC

noreply at ...12... noreply at ...12...
Wed Mar 27 21:33:05 EST 2002

Bugs item #535883, was opened at 2002-03-27 15:06
You can respond by visiting: 

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Eric Jacobsen (bitstream01)
Assigned to: Nobody/Anonymous (nobody)
Summary: Snort crashes in ConvertRPC

Initial Comment:

I accidentally sent this other day to the devel-
list without a subject.  This can be used to crash
an IDS, so the sooner we get a fix, the better.

I had a series of crashes last night in ConvertRPC 
that seem related to some bad assumptions about RPC 
packet length. 

This is snort 1.8.4 build 99 on Solaris 2.8.  Here's 
the stack trace: 

Current function is ConvertRPC 
277       } 
(dbx) where 
=>[1] ConvertRPC(data = 0xc37b4 "", size = 20U), line 
277 in 
[2] PreprocRpcDecode(p = 0xffbef760), line 199 
in "spp_rpc_decode.c" 
[3] Preprocess(p = 0xffbef760), line 3539 in "rules.c" 
[4] ProcessPacket(user = (nil), pkthdr = 0xb4400, pkt 
= 0xc3772 ""), line 
in "snort.c" 
[5] pcap_read(0xc24c0, 0xffffffff, 0x1c16c, 0x0, 
0xffbefd48, 0x7b985d), at 
[6] pcap_loop(0xc24c0, 0xffffffff, 0x1c16c, 0x0, 
0xb5290, 0xffbefd48), at 
[7] InterfaceThread(arg = 0xb45ec), line 1681 
in "snort.c" 
[8] main(argc = 738796, argv = 0xffbefe5c), line 478 
in "snort.c" 

and a variable dump: 

index = 0xc37c7 "\x" 
end = 0xc37c8 "\x" 
total_len = 15 
data = 0xc37b4 "" 
length = 0 
rpc = 0xc37c7 "\x" 
size = 20U 

and finally the relevant chunk of memory: 

0x000c37b4:      0x0000000f 0x7dbffd9d 0xa6a94099 
0x000c37c4:      0x020a3098 

The bug manifests itself as: 

program terminated by signal BUS (invalid address 
Current function is ConvertRPC 

277       } 

My analysis of this bug is that ConvertRPC expects 
that length will be a multiple of 4 bytes, and gets 
into trouble when the } on 277 return it to the cast 
on line 257: 

       hdrptr = (int *) index; 

At this point in the code for the packet data shown 
above, the index pointer is at 0xc37c7 and is not 
aligned when cast to a 32bit integer.  By the way, 
I noted a few locations in this function where 
uint_32t is used synonymously with int (such as this 
line), which you might also want to patch. 

I am not sure I fully understand the point of this 
function, as it also seems to me that the assignment 
operation on line 276 is meaningless: 

               *rpc = *index; 

since rpc and index point to the same thing. 

Anyway, I hit this in the wild a few times yesterday 
and it seems that anyone with the ability to generate 
arbitrary RPC packets can crash snort, so you might 
want to fix this.  I would propose my own fix, but I 
don't know RPC or snort well enough to know what the 
right thing to do is. 



You can respond by visiting: 

More information about the Snort-devel mailing list