[Snort-devel] RE: Snort 1.9.1 fix for stream4 reassembly integer overflow

Dirk Geschke Dirk_Geschke at ...802...
Wed Apr 16 03:28:07 EDT 2003

Hi Dave,

> Just noticed Matt Callaway had a simpler fix for the 1.9.1 code base...
> not sure which is preferable.

I think the backport from snort-2.0.0 is the better solution.

Matt Callaway's patch simply discards packets which would result
in an overrun of sequence numbers due to the size of the payload. 
But within a TCP session this should be allowed, there is no
restriction forbidding an overrun in sequence numbers.

Indeed the isBetween function takes an overrun implicitly
into account.

Best regards

Dirk Geschke

| Dr. Dirk Geschke            | E-mail: geschke at ...802...      |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
| 85551 Kirchheim / Germany   | Domagkstrasse 7               |

More information about the Snort-devel mailing list