[Snort-devel] Bus error with Snort-2.0.6/spo_database.c on Sparc.

Jim Cervantes jcervant at ...2278...
Mon Dec 29 09:52:04 EST 2003


Paul,

Addresses that generate bus errors when dereferenced are often attributable
to alignment problems.  The underlying machine instruction set may have
restrictions on how words of certain sizes are accessed.  Looking at your
debugging printf's below, it looks like you bus error'ed trying to read
p->tcph->th_seq.  That's a 32-bit (long word) quantity.  According to your
debugging output, it's aligned to a 16-bit (word) boundary (0x24782e).  This
may explain the problem.  Usually these sorts of issues are handled
relatively transparently by C compilers as padding is added to struct memory
layouts to maintain alignment restrictions, but there are various ways that
things can go astray - for instance custom memory management or certain
build problems.  Hope this helps.

Jim


-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Paul van
Empelen
Sent: Monday, December 29, 2003 12:14 PM
To: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Bus error with Snort-2.0.6/spo_database.c on
Sparc.



I have modified spo_database.c a bit to give some verbose output:
Still, no idea why I get a bus error.  The addresses look fine to me...

Regards,

--Paul.


--- spo_database.c_dist Mon Dec 29 18:04:29 2003
+++ spo_database.c      Mon Dec 29 18:08:38 2003
@@ -1395,6 +1395,16 @@
                 /*** Build a query for the TCP Header ***/
                 if(data->detail)
                 {
+                                       printf ("address p->tcph->th_sport:
0x%p\n", &p->tcph->th_sport);
+                                       printf ("address p->tcph->th_dport:
0x%p\n", &p->tcph->th_dport);
+                                       printf ("address p->tcph->th_seq:
0x%p\n", &p->tcph->th_seq);
+                                       printf ("address p->tcph->th_ack:
0x%p\n", &p->tcph->th_ack);
+                                       printf ("p->tcph->th_sport: 0x%u\n",
p->tcph->th_sport);
+                                       printf ("p->tcph->th_dport: 0x%u\n",
p->tcph->th_dport);
+                                       printf ("p->tcph->th_seq: 0x%u\n",
p->tcph->th_seq);
+                                       printf ("p->tcph->th_ack: 0x%u\n",
p->tcph->th_ack);
+                                       printf ("p->tcph->th_seq: 0x%lu\n",
(u_long)p->tcph->th_seq);
+                                       printf ("p->tcph->th_ack: 0x%lu\n",
(u_long)p->tcph->th_ack);
                     snprintf(query->val, MAX_QUERY_LENGTH,
                             "INSERT INTO "
                             "tcphdr (sid, cid, tcp_sport, tcp_dport, "


Running nmap again:

Version 2.0.6 (Build 100)
By Martin Roesch (roesch at ...402..., www.snort.org)
address p->tcph->th_sport: 0x24782a
address p->tcph->th_dport: 0x24782c
address p->tcph->th_seq: 0x24782e
address p->tcph->th_ack: 0x247832
p->tcph->th_sport: 0x19659
p->tcph->th_dport: 0x262
Bus error (core dumped)


GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
Core was generated by `./snort -c /etc/snort/snort.conf'.
Program terminated with signal 10, Bus Error.
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libm.so.1...done.
Loaded symbols for /usr/lib/libm.so.1
Reading symbols from /usr/lib/libsocket.so.1...done.
Loaded symbols for /usr/lib/libsocket.so.1
Reading symbols from /usr/lib/libnsl.so.1...done.
Loaded symbols for /usr/lib/libnsl.so.1
Reading symbols from /usr/lib/libc.so.1...done.
Loaded symbols for /usr/lib/libc.so.1
Reading symbols from /usr/lib/libdl.so.1...done.
Loaded symbols for /usr/lib/libdl.so.1
Reading symbols from /usr/lib/libmp.so.2...done.
Loaded symbols for /usr/lib/libmp.so.2
Reading symbols from
/usr/platform/SUNW,UltraSPARC-IIi-Engine/lib/libc_psr.so.1...done.
Loaded symbols for
/usr/platform/SUNW,UltraSPARC-IIi-Engine/lib/libc_psr.so.1
Reading symbols from /usr/lib/nss_files.so.1...done.
Loaded symbols for /usr/lib/nss_files.so.1
#0  0x46dc8 in Database (p=0x247498, msg=0xffbfee08 "Spade: Closed dest port
used: local dest, syn: 0.8630", arg=0x26ad58, event=0xffbfede0)
    at spo_database.c:1404
1404                                            printf ("p->tcph->th_seq:
0x%u\n", p->tcph->th_seq);
(gdb) bt
#0  0x46dc8 in Database (p=0x247498, msg=0xffbfee08 "Spade: Closed dest port
used: local dest, syn: 0.8630", arg=0x26ad58, event=0xffbfede0)
    at spo_database.c:1404
#1  0x37308 in CallAlertPlugins (p=0x247498, message=0xffbfee08 "Spade:
Closed dest port used: local dest, syn: 0.8630", args=0x0,
    event=0xffbfede0) at detect.c:276
#2  0x50dc4 in SpadeReportAnom (context=0x0, rpt=0xc8000) at spp_spade.c:634
#3  0x53e54 in canceller_status_report (context=0x26be58, rpt=0x247e00,
status=PORT_LIKELYCLOSED) at spp_spade.c:1928
#4  0x55290 in packet_resp_canceller_new_time (self=0x2ae780,
now=1072717773) at spp_spade.c:2426
#5  0x53314 in netspade_new_pkt (self=0x26aff8, pkt=0xffbff108) at
spp_spade.c:1561
#6  0x50bac in PreprocSpade (p=0xffbff220) at spp_spade.c:571
#7  0x36f58 in Preprocess (p=0xffbff220) at detect.c:111
#8  0x31348 in ProcessPacket (user=0x0, pkthdr=0x0, pkt=0x1b0470 "") at
snort.c:603
#9  0x750b8 in pcap_read_dlpi ()
#10 0x76434 in pcap_loop ()
#11 0x329e8 in InterfaceThread (arg=0x1a0400) at snort.c:1533
#12 0x3123c in SnortMain (argc=1704960, argv=0xffbff814) at snort.c:541



On Sun, Dec 28, 2003 at 03:27:44PM +0100, Paul van Empelen wrote:
>
> Hi all,
>
> I sent this mail a couple of days ago on the snort users-list, but it got
lost
> somewhere, waiting for moderator approval...
>
> I am trying to run Snort (with the Spade preprocessor) on a Solaris
machine.
> However, it crashes with a bus error after some type of alarms.  Most
easily
> to reproduce is an nmap to the box, and the error that shows up from the
Spade
> preprocessor.
>
>
> The bus error is in this part of spo_database.c:
>
>         snprintf(query->val, MAX_QUERY_LENGTH,
>                 "INSERT INTO "
>                 "tcphdr (sid, cid, tcp_sport, tcp_dport, "
>                 "        tcp_seq, tcp_ack, tcp_off, tcp_res, "
>                 "        tcp_flags, tcp_win, tcp_csum, tcp_urp) "
>                 "VALUES
('%u','%u','%u','%u','%lu','%lu','%u','%u','%u','%u','%u','%u')",
>                 data->shared->sid,
>                 data->shared->cid,
>                 ntohs(p->tcph->th_sport),
>                 ntohs(p->tcph->th_dport),
>                 (u_long)ntohl(p->tcph->th_seq),
>                 (u_long)ntohl(p->tcph->th_ack),
>                 TCP_OFFSET(p->tcph),
>                 TCP_X2(p->tcph),
>                 p->tcph->th_flags,
>                 ntohs(p->tcph->th_win),
>                 ntohs(p->tcph->th_sum),
>                 ntohs(p->tcph->th_urp));
>
>
> To be more precise, it's the (u_long)ntohl(p->tcph->th_seq) and
> (u_long)ntohl(p->tcph->th_ack) that cause the bus error.  If I hard code a
'0'
> in the program, the bus error is gone (although some weird database errors
show up:-))
>
> I am not a programmer, and right now I am pretty much stuck here.  Dunno
how to fix
> it.  It looks like some kind of alignment error on a unsigned longint.
>
> This is the output plugin statement from my config:
>
> output database: alert, mysql, user=******** password=******* dbname=snort
host=localhost
>
> > uname -a
> SunOS trillian 5.9 Generic_112233-02 sun4u sparc
SUNW,UltraSPARC-IIi-Engine
>
> > ./snort -V
>
> -*> Snort! <*-
> Version 2.0.6 (Build 100)
> By Martin Roesch (roesch at ...402..., www.snort.org)
>
>
> 1398                        snprintf(query->val, MAX_QUERY_LENGTH,
> (gdb) bt
> #0  0x46d68 in Database (p=0x4d57b0, msg=0xffbff238 "Spade: Closed dest
port used: local dest, syn: 1.0000", arg=0x26a2e0, event=0xffbff210) at
spo_database.c:1398
> #1  0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248
> #2  0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at
spp_spade.c:6881
> #3  0x65188 in HttpDecodeInit (args=0x4d6118 "") at spp_http_decode.c:178
> #4  0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot
access memory at address 0x4000) at spp_portscan.c:518
> #5  0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812
> #6  0x61edc in new_dll_double (val=0.77218389511151264) at
spp_spade.c:6672
> #7  0x3684c in CleanupProtoNames () at util.c:1057
> #8  0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265
> #9  0x74ff8 in pcap_read_dlpi ()
> #10 0x76374 in pcap_loop ()
> #11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286
> #12 0x30b30 in hex2s (val=5) at plugbase.c:1760
> (gdb) p/x p->tcph->th_seq
> $1 = 0x8d2bd557
> (gdb) p/x p->tcph->th_ack
> $2 = 0x8a15b285
>
>
> 1398                        snprintf(query->val, MAX_QUERY_LENGTH,
> (gdb) bt
> #0  0x46d68 in Database (p=0x4d53e8, msg=0xffbff238 "Spade: Closed dest
port used: local dest, syn: 0.8843", arg=0x26a2e0, event=0xffbff210) at
spo_database.c:1398
> #1  0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248
> #2  0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at
spp_spade.c:6881
> #3  0x65188 in HttpDecodeInit (args=0x4d5d50 "") at spp_http_decode.c:178
> #4  0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot
access memory at address 0x4000) at spp_portscan.c:518
> #5  0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812
> #6  0x61edc in new_dll_double (val=0.77464485168755515) at
spp_spade.c:6672
> #7  0x3684c in CleanupProtoNames () at util.c:1057
> #8  0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265
> #9  0x74ff8 in pcap_read_dlpi ()
> #10 0x76374 in pcap_loop ()
> #11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286
> #12 0x30b30 in hex2s (val=5) at plugbase.c:1760
> (gdb)  p/x p->tcph->th_seq
> $1 = 0xe2e96563
> (gdb) p/x p->tcph->th_ack
> $2 = 0x8565987d
> (gdb)
>
>
> 1398                        snprintf(query->val, MAX_QUERY_LENGTH,
> (gdb) bt
> #0  0x46d68 in Database (p=0x4d5618, msg=0xffbff258 "Spade: Closed dest
port used: local dest, syn: 1.0000", arg=0x26a2b0, event=0xffbff230) at
spo_database.c:1398
> #1  0x37308 in CallAlertPlugins (p=0x4d5618, message=0xffbff258 "Spade:
Closed dest port used: local dest, syn: 1.0000", args=0x0, event=0xffbff230)
at detect.c:276
> #2  0x50cfc in SpadeReportAnom (context=0x0, rpt=0xc7c00) at
spp_spade.c:634
> #3  0x53d90 in canceller_status_report (context=0x26b7c8, rpt=0x4d5f80,
status=PORT_LIKELYCLOSED) at spp_spade.c:1923
> #4  0x551cc in packet_resp_canceller_new_time (self=0x2accc8,
now=1072258950) at spp_spade.c:2421
> #5  0x53250 in netspade_new_pkt (self=0x270248, pkt=0xffbff558) at
spp_spade.c:1556
> #6  0x50ae4 in PreprocSpade (p=0xffbff670) at spp_spade.c:571
> #7  0x36f58 in Preprocess (p=0xffbff670) at detect.c:111
> #8  0x31348 in ProcessPacket (user=0x0, pkthdr=0x0, pkt=0x1b0230 "") at
snort.c:603
> #9  0x74ff8 in pcap_read_dlpi ()
> #10 0x76374 in pcap_loop ()
> #11 0x329e8 in InterfaceThread (arg=0x1a0000) at snort.c:1533
> #12 0x3123c in SnortMain (argc=1703936, argv=0xffbffc64) at snort.c:541
> (gdb) p/x p->tcph->th_seq
> $1 = 0x8439366a
> (gdb) p/x p->tcph->th_ack
> $2 = 0x9195a616
> (gdb)
>
>
> Regards,
>
> --Paul.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list