[Snort-devel] Bus error with Snort-2.0.6/spo_database.c on Sparc.

Paul van Empelen snort-devel at ...2297...
Sun Dec 28 06:28:01 EST 2003


Hi all,

I sent this mail a couple of days ago on the snort users-list, but it got lost
somewhere, waiting for moderator approval...

I am trying to run Snort (with the Spade preprocessor) on a Solaris machine.
However, it crashes with a bus error after some type of alarms.  Most easily
to reproduce is an nmap to the box, and the error that shows up from the Spade
preprocessor.


The bus error is in this part of spo_database.c:

        snprintf(query->val, MAX_QUERY_LENGTH,
                "INSERT INTO "
                "tcphdr (sid, cid, tcp_sport, tcp_dport, "
                "        tcp_seq, tcp_ack, tcp_off, tcp_res, "
                "        tcp_flags, tcp_win, tcp_csum, tcp_urp) "
                "VALUES ('%u','%u','%u','%u','%lu','%lu','%u','%u','%u','%u','%u','%u')",
                data->shared->sid,
                data->shared->cid,
                ntohs(p->tcph->th_sport),
                ntohs(p->tcph->th_dport),
                (u_long)ntohl(p->tcph->th_seq),
                (u_long)ntohl(p->tcph->th_ack),
                TCP_OFFSET(p->tcph),
                TCP_X2(p->tcph),
                p->tcph->th_flags,
                ntohs(p->tcph->th_win),
                ntohs(p->tcph->th_sum),
                ntohs(p->tcph->th_urp));


To be more precise, it's the (u_long)ntohl(p->tcph->th_seq) and
(u_long)ntohl(p->tcph->th_ack) that cause the bus error.  If I hard code a '0'
in the program, the bus error is gone (although some weird database errors show up:-))

I am not a programmer, and right now I am pretty much stuck here.  Dunno how to fix
it.  It looks like some kind of alignment error on a unsigned longint.

This is the output plugin statement from my config:

output database: alert, mysql, user=******** password=******* dbname=snort host=localhost

> uname -a
SunOS trillian 5.9 Generic_112233-02 sun4u sparc SUNW,UltraSPARC-IIi-Engine

> ./snort -V

-*> Snort! <*-
Version 2.0.6 (Build 100)
By Martin Roesch (roesch at ...402..., www.snort.org)


1398                        snprintf(query->val, MAX_QUERY_LENGTH, 
(gdb) bt
#0  0x46d68 in Database (p=0x4d57b0, msg=0xffbff238 "Spade: Closed dest port used: local dest, syn: 1.0000", arg=0x26a2e0, event=0xffbff210) at spo_database.c:1398
#1  0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248
#2  0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at spp_spade.c:6881
#3  0x65188 in HttpDecodeInit (args=0x4d6118 "") at spp_http_decode.c:178
#4  0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot access memory at address 0x4000) at spp_portscan.c:518
#5  0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812
#6  0x61edc in new_dll_double (val=0.77218389511151264) at spp_spade.c:6672
#7  0x3684c in CleanupProtoNames () at util.c:1057
#8  0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265
#9  0x74ff8 in pcap_read_dlpi ()
#10 0x76374 in pcap_loop ()
#11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286
#12 0x30b30 in hex2s (val=5) at plugbase.c:1760
(gdb) p/x p->tcph->th_seq
$1 = 0x8d2bd557
(gdb) p/x p->tcph->th_ack
$2 = 0x8a15b285


1398                        snprintf(query->val, MAX_QUERY_LENGTH, 
(gdb) bt
#0  0x46d68 in Database (p=0x4d53e8, msg=0xffbff238 "Spade: Closed dest port used: local dest, syn: 0.8843", arg=0x26a2e0, event=0xffbff210) at spo_database.c:1398
#1  0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248
#2  0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at spp_spade.c:6881
#3  0x65188 in HttpDecodeInit (args=0x4d5d50 "") at spp_http_decode.c:178
#4  0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot access memory at address 0x4000) at spp_portscan.c:518
#5  0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812
#6  0x61edc in new_dll_double (val=0.77464485168755515) at spp_spade.c:6672
#7  0x3684c in CleanupProtoNames () at util.c:1057
#8  0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265
#9  0x74ff8 in pcap_read_dlpi ()
#10 0x76374 in pcap_loop ()
#11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286
#12 0x30b30 in hex2s (val=5) at plugbase.c:1760
(gdb)  p/x p->tcph->th_seq
$1 = 0xe2e96563
(gdb) p/x p->tcph->th_ack
$2 = 0x8565987d
(gdb) 


1398                        snprintf(query->val, MAX_QUERY_LENGTH, 
(gdb) bt
#0  0x46d68 in Database (p=0x4d5618, msg=0xffbff258 "Spade: Closed dest port used: local dest, syn: 1.0000", arg=0x26a2b0, event=0xffbff230) at spo_database.c:1398
#1  0x37308 in CallAlertPlugins (p=0x4d5618, message=0xffbff258 "Spade: Closed dest port used: local dest, syn: 1.0000", args=0x0, event=0xffbff230) at detect.c:276
#2  0x50cfc in SpadeReportAnom (context=0x0, rpt=0xc7c00) at spp_spade.c:634
#3  0x53d90 in canceller_status_report (context=0x26b7c8, rpt=0x4d5f80, status=PORT_LIKELYCLOSED) at spp_spade.c:1923
#4  0x551cc in packet_resp_canceller_new_time (self=0x2accc8, now=1072258950) at spp_spade.c:2421
#5  0x53250 in netspade_new_pkt (self=0x270248, pkt=0xffbff558) at spp_spade.c:1556
#6  0x50ae4 in PreprocSpade (p=0xffbff670) at spp_spade.c:571
#7  0x36f58 in Preprocess (p=0xffbff670) at detect.c:111
#8  0x31348 in ProcessPacket (user=0x0, pkthdr=0x0, pkt=0x1b0230 "") at snort.c:603
#9  0x74ff8 in pcap_read_dlpi ()
#10 0x76374 in pcap_loop ()
#11 0x329e8 in InterfaceThread (arg=0x1a0000) at snort.c:1533
#12 0x3123c in SnortMain (argc=1703936, argv=0xffbffc64) at snort.c:541
(gdb) p/x p->tcph->th_seq
$1 = 0x8439366a
(gdb) p/x p->tcph->th_ack
$2 = 0x9195a616
(gdb) 


Regards,

--Paul.





More information about the Snort-devel mailing list