[Snort-devel] Bus error with Snort-2.0.6/spo_database.c on Sparc.
Paul van Empelen
snort-devel at ...2297...
Tue Dec 30 02:33:02 EST 2003
On Mon, Dec 29, 2003 at 05:56:46PM -0500, Jason Wever wrote:
> "Jim Cervantes" <jcervant at ...2278...> wrote:
> > Addresses that generate bus errors when dereferenced are often
> > attributable to alignment problems. The underlying machine instruction
> > set may have restrictions on how words of certain sizes are accessed.
> > Looking at your debugging printf's below, it looks like you bus error'ed
> > trying to read p->tcph->th_seq. That's a 32-bit (long word) quantity.
> > According to your debugging output, it's aligned to a 16-bit (word)
> > boundary (0x24782e). This may explain the problem. Usually these sorts
> > of issues are handled relatively transparently by C compilers as padding
> > is added to struct memory layouts to maintain alignment restrictions,
> > but there are various ways that things can go astray - for instance
> > custom memory management or certain build problems. Hope this helps.
> I've been seeing this across the whole 2.0.x series using Linux on sparc.
> Not sure if this happened pre-2.0.x or not.
> Does snort work reliably on other big endian arches?
> Also, Paul, what did you use to build snort?
Hi Jim, Jason,
Thank you for your replies. It is really helpful. I understand the issue
Initially, I compiled it with gcc 3.2 (make 3.80).
Today, I upgraded to the latest & greatest gcc:
> gcc -v
Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.9/3.3.2/specs
Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls
Thread model: posix
gcc version 3.3.2
Made a fresh install of snort-2.0.6/Spade, and inserted the printf's again:
address p->tcph->th_sport: 0x245a22
address p->tcph->th_dport: 0x245a24
address p->tcph->th_seq: 0x245a26
address p->tcph->th_ack: 0x245a2a
Bus error (core dumped)
Same issue here. Again, 0x245a26 is not 32 bits aligned.
I found some TCP offset (alignment?) macro's in decode.h. However, I
couldn't figure out the syntax. Can I make an dirty workaround by
defining the 16 bit p->tcph->th_dport just after p->tcph->th_ack instead
of before p->tcph->th_seq? Or is this a really bad idea...
Also, is there a document describing the internal data structures of snort
a bit more detailed than chapter 3 of the manual?
There is one thing I still don't get. I am reading p->tcph->th_seq here.
Why isn't it complaining before, when writing to p->tcph->th_seq? This
should be the same address, right?
More information about the Snort-devel