[Snort-devel] Snort 2.0.6 is available!

Daniel J. Roelker droelker at ...402...
Fri Dec 19 07:23:01 EST 2003

On Thu, 2003-12-18 at 15:12, Andrew Rucker Jones wrote:
> 	I'm interested in the diff between versions and of
> spp_stream4.c, beginning line 4003 in the old version. You say that line
> causes an off-by-one error. That's interesting, because when i was
> testing for my patch for 2.0.5, the debugging messages made it clear
> that not including that line was causing an off-by-one error in the
> other direction. Stream4 kept expecting one more byte at the end of a
> connection than it was getting, and it was because it counted the FIN as
> a data byte. (Admittedly, the error was harmless, but i thought the fix
> was, too.) Under what conditions does my change cause an off-by-one, and
> where is it compensated for?

The FIN "data" byte is compensated for in TcpAction.  Look at the
various ACTION_ACK_* routines.  The last_ack (when a FIN pkt is
received) gets set to the pkt_ack - 1.  The stream_size is last_ack -
base_seq and since last_ack is already decremented by 1, it's correct. 
That's the code part of it.

The practical side is that every reassembled stream was OBO (didn't
include the last byte) with the stream_size-- statement and when taken
out it worked correctly.  Jeremy discovered this through all the various
tests he runs on snort because some of the rules weren't firing because
that last byte wasn't present.

With that said, thanks again for your testing of stream4 and helping us
iron out some of the inconsistencies.  And I'll get your name right next
time.  :)

On a side note, the Snort Team is going to be looking at stream4 over
the next couple of months and anyone that would be interested in testing
out some experimental versions of it would be much appreciated.  If your
interested in helping stream4 out, let Jeremy Hewlett know.

Your already on the list Larry Reed.  :)


Daniel Roelker
Software Developer
Sourcefire, Inc.

More information about the Snort-devel mailing list