[Snort-devel] Bus error with Snort-2.0.6/spo_database.c on Sparc.

Paul van Empelen snort-devel at ...2297...
Mon Dec 29 09:14:03 EST 2003


I have modified spo_database.c a bit to give some verbose output:
Still, no idea why I get a bus error.  The addresses look fine to me...  

Regards,

--Paul.


--- spo_database.c_dist Mon Dec 29 18:04:29 2003
+++ spo_database.c      Mon Dec 29 18:08:38 2003
@@ -1395,6 +1395,16 @@
                 /*** Build a query for the TCP Header ***/
                 if(data->detail)
                 {
+                                       printf ("address p->tcph->th_sport: 0x%p\n", &p->tcph->th_sport);
+                                       printf ("address p->tcph->th_dport: 0x%p\n", &p->tcph->th_dport);
+                                       printf ("address p->tcph->th_seq: 0x%p\n", &p->tcph->th_seq);
+                                       printf ("address p->tcph->th_ack: 0x%p\n", &p->tcph->th_ack);
+                                       printf ("p->tcph->th_sport: 0x%u\n", p->tcph->th_sport);
+                                       printf ("p->tcph->th_dport: 0x%u\n", p->tcph->th_dport);
+                                       printf ("p->tcph->th_seq: 0x%u\n", p->tcph->th_seq);
+                                       printf ("p->tcph->th_ack: 0x%u\n", p->tcph->th_ack);
+                                       printf ("p->tcph->th_seq: 0x%lu\n", (u_long)p->tcph->th_seq);
+                                       printf ("p->tcph->th_ack: 0x%lu\n", (u_long)p->tcph->th_ack);
                     snprintf(query->val, MAX_QUERY_LENGTH, 
                             "INSERT INTO "
                             "tcphdr (sid, cid, tcp_sport, tcp_dport, "


Running nmap again:

Version 2.0.6 (Build 100)
By Martin Roesch (roesch at ...402..., www.snort.org)
address p->tcph->th_sport: 0x24782a
address p->tcph->th_dport: 0x24782c
address p->tcph->th_seq: 0x24782e
address p->tcph->th_ack: 0x247832
p->tcph->th_sport: 0x19659
p->tcph->th_dport: 0x262
Bus error (core dumped)


GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
Core was generated by `./snort -c /etc/snort/snort.conf'.
Program terminated with signal 10, Bus Error.
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libm.so.1...done.
Loaded symbols for /usr/lib/libm.so.1
Reading symbols from /usr/lib/libsocket.so.1...done.
Loaded symbols for /usr/lib/libsocket.so.1
Reading symbols from /usr/lib/libnsl.so.1...done.
Loaded symbols for /usr/lib/libnsl.so.1
Reading symbols from /usr/lib/libc.so.1...done.
Loaded symbols for /usr/lib/libc.so.1
Reading symbols from /usr/lib/libdl.so.1...done.
Loaded symbols for /usr/lib/libdl.so.1
Reading symbols from /usr/lib/libmp.so.2...done.
Loaded symbols for /usr/lib/libmp.so.2
Reading symbols from /usr/platform/SUNW,UltraSPARC-IIi-Engine/lib/libc_psr.so.1...done.
Loaded symbols for /usr/platform/SUNW,UltraSPARC-IIi-Engine/lib/libc_psr.so.1
Reading symbols from /usr/lib/nss_files.so.1...done.
Loaded symbols for /usr/lib/nss_files.so.1
#0  0x46dc8 in Database (p=0x247498, msg=0xffbfee08 "Spade: Closed dest port used: local dest, syn: 0.8630", arg=0x26ad58, event=0xffbfede0)
    at spo_database.c:1404
1404                                            printf ("p->tcph->th_seq: 0x%u\n", p->tcph->th_seq);
(gdb) bt
#0  0x46dc8 in Database (p=0x247498, msg=0xffbfee08 "Spade: Closed dest port used: local dest, syn: 0.8630", arg=0x26ad58, event=0xffbfede0)
    at spo_database.c:1404
#1  0x37308 in CallAlertPlugins (p=0x247498, message=0xffbfee08 "Spade: Closed dest port used: local dest, syn: 0.8630", args=0x0, 
    event=0xffbfede0) at detect.c:276
#2  0x50dc4 in SpadeReportAnom (context=0x0, rpt=0xc8000) at spp_spade.c:634
#3  0x53e54 in canceller_status_report (context=0x26be58, rpt=0x247e00, status=PORT_LIKELYCLOSED) at spp_spade.c:1928
#4  0x55290 in packet_resp_canceller_new_time (self=0x2ae780, now=1072717773) at spp_spade.c:2426
#5  0x53314 in netspade_new_pkt (self=0x26aff8, pkt=0xffbff108) at spp_spade.c:1561
#6  0x50bac in PreprocSpade (p=0xffbff220) at spp_spade.c:571
#7  0x36f58 in Preprocess (p=0xffbff220) at detect.c:111
#8  0x31348 in ProcessPacket (user=0x0, pkthdr=0x0, pkt=0x1b0470 "") at snort.c:603
#9  0x750b8 in pcap_read_dlpi ()
#10 0x76434 in pcap_loop ()
#11 0x329e8 in InterfaceThread (arg=0x1a0400) at snort.c:1533
#12 0x3123c in SnortMain (argc=1704960, argv=0xffbff814) at snort.c:541



On Sun, Dec 28, 2003 at 03:27:44PM +0100, Paul van Empelen wrote:
> 
> Hi all,
> 
> I sent this mail a couple of days ago on the snort users-list, but it got lost
> somewhere, waiting for moderator approval...
> 
> I am trying to run Snort (with the Spade preprocessor) on a Solaris machine.
> However, it crashes with a bus error after some type of alarms.  Most easily
> to reproduce is an nmap to the box, and the error that shows up from the Spade
> preprocessor.
> 
> 
> The bus error is in this part of spo_database.c:
> 
>         snprintf(query->val, MAX_QUERY_LENGTH,
>                 "INSERT INTO "
>                 "tcphdr (sid, cid, tcp_sport, tcp_dport, "
>                 "        tcp_seq, tcp_ack, tcp_off, tcp_res, "
>                 "        tcp_flags, tcp_win, tcp_csum, tcp_urp) "
>                 "VALUES ('%u','%u','%u','%u','%lu','%lu','%u','%u','%u','%u','%u','%u')",
>                 data->shared->sid,
>                 data->shared->cid,
>                 ntohs(p->tcph->th_sport),
>                 ntohs(p->tcph->th_dport),
>                 (u_long)ntohl(p->tcph->th_seq),
>                 (u_long)ntohl(p->tcph->th_ack),
>                 TCP_OFFSET(p->tcph),
>                 TCP_X2(p->tcph),
>                 p->tcph->th_flags,
>                 ntohs(p->tcph->th_win),
>                 ntohs(p->tcph->th_sum),
>                 ntohs(p->tcph->th_urp));
> 
> 
> To be more precise, it's the (u_long)ntohl(p->tcph->th_seq) and
> (u_long)ntohl(p->tcph->th_ack) that cause the bus error.  If I hard code a '0'
> in the program, the bus error is gone (although some weird database errors show up:-))
> 
> I am not a programmer, and right now I am pretty much stuck here.  Dunno how to fix
> it.  It looks like some kind of alignment error on a unsigned longint.
> 
> This is the output plugin statement from my config:
> 
> output database: alert, mysql, user=******** password=******* dbname=snort host=localhost
> 
> > uname -a
> SunOS trillian 5.9 Generic_112233-02 sun4u sparc SUNW,UltraSPARC-IIi-Engine
> 
> > ./snort -V
> 
> -*> Snort! <*-
> Version 2.0.6 (Build 100)
> By Martin Roesch (roesch at ...402..., www.snort.org)
> 
> 
> 1398                        snprintf(query->val, MAX_QUERY_LENGTH, 
> (gdb) bt
> #0  0x46d68 in Database (p=0x4d57b0, msg=0xffbff238 "Spade: Closed dest port used: local dest, syn: 1.0000", arg=0x26a2e0, event=0xffbff210) at spo_database.c:1398
> #1  0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248
> #2  0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at spp_spade.c:6881
> #3  0x65188 in HttpDecodeInit (args=0x4d6118 "") at spp_http_decode.c:178
> #4  0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot access memory at address 0x4000) at spp_portscan.c:518
> #5  0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812
> #6  0x61edc in new_dll_double (val=0.77218389511151264) at spp_spade.c:6672
> #7  0x3684c in CleanupProtoNames () at util.c:1057
> #8  0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265
> #9  0x74ff8 in pcap_read_dlpi ()
> #10 0x76374 in pcap_loop ()
> #11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286
> #12 0x30b30 in hex2s (val=5) at plugbase.c:1760
> (gdb) p/x p->tcph->th_seq
> $1 = 0x8d2bd557
> (gdb) p/x p->tcph->th_ack
> $2 = 0x8a15b285
> 
> 
> 1398                        snprintf(query->val, MAX_QUERY_LENGTH, 
> (gdb) bt
> #0  0x46d68 in Database (p=0x4d53e8, msg=0xffbff238 "Spade: Closed dest port used: local dest, syn: 0.8843", arg=0x26a2e0, event=0xffbff210) at spo_database.c:1398
> #1  0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248
> #2  0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at spp_spade.c:6881
> #3  0x65188 in HttpDecodeInit (args=0x4d5d50 "") at spp_http_decode.c:178
> #4  0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot access memory at address 0x4000) at spp_portscan.c:518
> #5  0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812
> #6  0x61edc in new_dll_double (val=0.77464485168755515) at spp_spade.c:6672
> #7  0x3684c in CleanupProtoNames () at util.c:1057
> #8  0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265
> #9  0x74ff8 in pcap_read_dlpi ()
> #10 0x76374 in pcap_loop ()
> #11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286
> #12 0x30b30 in hex2s (val=5) at plugbase.c:1760
> (gdb)  p/x p->tcph->th_seq
> $1 = 0xe2e96563
> (gdb) p/x p->tcph->th_ack
> $2 = 0x8565987d
> (gdb) 
> 
> 
> 1398                        snprintf(query->val, MAX_QUERY_LENGTH, 
> (gdb) bt
> #0  0x46d68 in Database (p=0x4d5618, msg=0xffbff258 "Spade: Closed dest port used: local dest, syn: 1.0000", arg=0x26a2b0, event=0xffbff230) at spo_database.c:1398
> #1  0x37308 in CallAlertPlugins (p=0x4d5618, message=0xffbff258 "Spade: Closed dest port used: local dest, syn: 1.0000", args=0x0, event=0xffbff230) at detect.c:276
> #2  0x50cfc in SpadeReportAnom (context=0x0, rpt=0xc7c00) at spp_spade.c:634
> #3  0x53d90 in canceller_status_report (context=0x26b7c8, rpt=0x4d5f80, status=PORT_LIKELYCLOSED) at spp_spade.c:1923
> #4  0x551cc in packet_resp_canceller_new_time (self=0x2accc8, now=1072258950) at spp_spade.c:2421
> #5  0x53250 in netspade_new_pkt (self=0x270248, pkt=0xffbff558) at spp_spade.c:1556
> #6  0x50ae4 in PreprocSpade (p=0xffbff670) at spp_spade.c:571
> #7  0x36f58 in Preprocess (p=0xffbff670) at detect.c:111
> #8  0x31348 in ProcessPacket (user=0x0, pkthdr=0x0, pkt=0x1b0230 "") at snort.c:603
> #9  0x74ff8 in pcap_read_dlpi ()
> #10 0x76374 in pcap_loop ()
> #11 0x329e8 in InterfaceThread (arg=0x1a0000) at snort.c:1533
> #12 0x3123c in SnortMain (argc=1703936, argv=0xffbffc64) at snort.c:541
> (gdb) p/x p->tcph->th_seq
> $1 = 0x8439366a
> (gdb) p/x p->tcph->th_ack
> $2 = 0x9195a616
> (gdb) 
> 
> 
> Regards,
> 
> --Paul.
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list