[Snort-devel] Stream4 preprocess bug.

Lawrence Reed Lawrence.Reed at ...1489...
Tue Jan 7 09:04:09 EST 2003


I think this is a bug in the spp_stream4.c code.  When a stream is 
flushed because of an alert, the base_seq number gets reset to the wrong 
value.  Here is a diff with this changes and a couple other debug 
statement changes.


--- spp_stream4.c.fcs   Tue Jan  7 16:58:22 2003
+++ spp_stream4.c       Tue Jan  7 16:57:21 2003
@@ -3722,7 +3722,7 @@
     Stream *stream;
     int nodecount = 0;

-    DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Flusing stream due to an 
alert!\n"););
+    DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Flushing stream due to an 
alert!\n"););

     if(ssn != NULL)
     {
@@ -3731,14 +3731,14 @@
             nodecount = LogStream(&ssn->server);
             DeleteSpd(ssn->server.dataPtr, 1);
             stream = &ssn->server;
-            stream->base_seq = ssn->client.last_ack;
+            stream->base_seq = ssn->server.last_ack;
         }
         else
         {
             nodecount = LogStream(&ssn->client);
             DeleteSpd(ssn->client.dataPtr, 1);
             stream = &ssn->client;
-            stream->base_seq = ssn->server.last_ack;
+            stream->base_seq = ssn->client.last_ack;
         }
     }

@@ -4165,7 +4165,7 @@
                     ssn->client.base_seq = ssn->client.last_ack;
                 } else {
                     DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
-                                            "%d bytes to go before we 
flush\n",
+                                            "%u bytes to go before we 
flush\n",
                                             (ssn->flush_point -
                                              (ssn->client.last_ack -
                                               ssn->client.base_seq))););


Here are the before an after debug outputs from my testing.
Before this change:

spp_stream4.c:3184: 1 streams active, 1440 bytes in use
spp_stream4.c:3725: Flusing stream due to an alert!
spp_stream4.c:1408: pcount stream packet 5
spp_stream4.c:1479: Got Packet 0x7D51A8C0:23 ->  0x8151A8C0:33205 
***A****spp_stream4.c:1492: pkt_seq: 4175562528, pkt_ack: 4169168481
spp_stream4.c:3119: Trying to get session...
spp_stream4.c:3125: Looking for sip: 0x7D51A8C0 sp: 23  cip: 0x8151A8C0 
cp: 33205 flags: ***A****
spp_stream4.c:3152: Found session
spp_stream4.c:1611: server packet: ***A****
spp_stream4.c:1638: Marking stream as established
spp_stream4.c:1649: pkt is from server
spp_stream4.c:1664: Stream is established!,ssnflags = 0x7
spp_stream4.c:1868: Client state: ESTABLISHED
spp_stream4.c:1943: ACKING Client Data
spp_stream4.c:4138: client.base_seq(4175562528) 
client.last_ack(4169168479) offset(4288573247)
spp_stream4.c:4167: 6394264 bytes to go before we flush               
 <--------------------------------------This is wrong
spp_stream4.c:3184: 1 streams active, 1316 bytes in use

After:
spp_stream4.c:3184: 1 streams active, 1440 bytes in use
spp_stream4.c:3725: Flusing stream due to an alert!
spp_stream4.c:1408: pcount stream packet 5
spp_stream4.c:1479: Got Packet 0x7D51A8C0:23 ->  0x8151A8C0:33215 
***A****spp_stream4.c:1492: pkt_seq: 3962239794, pkt_ack: 3955417281
spp_stream4.c:3119: Trying to get session...
spp_stream4.c:3125: Looking for sip: 0x7D51A8C0 sp: 23  cip: 0x8151A8C0 
cp: 33215 flags: ***A****
spp_stream4.c:3152: Found session
spp_stream4.c:1611: server packet: ***A****
spp_stream4.c:1638: Marking stream as established
spp_stream4.c:1649: pkt is from server
spp_stream4.c:1664: Stream is established!,ssnflags = 0x7
spp_stream4.c:1868: Client state: ESTABLISHED
spp_stream4.c:1943: ACKING Client Data
spp_stream4.c:4138: client.base_seq(3955417279) 
client.last_ack(3955417279) offset(0)
spp_stream4.c:4167: 215 bytes to go before we flusha                     
 <--------------------------------------Much Better
spp_stream4.c:3184: 1 streams active, 1316 bytes in use



-- 
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772






More information about the Snort-devel mailing list