[Snort-devel] Fix for alignment bug in ConvertRPC (spp_rpc_decode.c) on Solaris

Alpha Beta bitstream0101 at ...445...
Fri Jan 24 06:37:16 EST 2003


Anyone who has tried to build snort under Solaris has
probably run into a sporadic crash in ConvertRPC due
to a memory alignment error.  The following code diff
appears to fix the problem without altering the
function of the code.  This should work on any
platform, but someone with more platforms to test on
might want to confirm that before commiting it.

*** snort-1.9.0/src/preprocessors/spp_rpc_decode.c      Fri Jan 10 15:32:36 
2003
--- snort-1.9.0/src/preprocessors/spp_rpc_decode.c.DIST Thu Jan  9 10:47:21 
2003
***************
*** 260,272 ****
      if(size < 16)
          return;

-     /* psize was previously unused.  it is now used to
-      * determine how much is left of the packet to make
-      * sure we don't go past the end.  We start by hacking
-      * out the four byte header.
-      */
-     psize -= 4;
-
      /* now we know it's in fragmented records, 4 bytes of
       * header(of which the most sig bit fragment (0=yes 1=no).
       * The header is followed by the value move pointer up 4
--- 260,265 ----
***************
*** 273,280 ****
       * bytes, we need to stuff header in first 4 bytes.
       * But the header has the total length...we don't know
       * until the end
-      *
-      * See RFC 1831, Section 10 -- Record Marking Standard
       */
      tmpptr = rpc;
      rpc += 4;
--- 266,271 ----
***************
*** 281,307 ****

      while(index < end)
      {
!       /* Previous code failed to take address alignment into
!        * consideration.  This way is alignment proof.
!        */

!       length = ((*(index++))&0x7f) << 24;
!       length += *(index++) << 16;
!       length += *(index++) << 8;
!       length += *index++;
!
!       if(length > psize)
          {
!         DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "WARNING: rpc_decode 
calculated bad "
!                                 "length: %d\n", length););
              return;
          }
          else
          {
              total_len += length;
!           psize -= length; /* shorten by the length of data we will read 
*/
!           psize -= 4; /* and the next header we're going to jump */
!             for (i=0; i < length; i++,rpc++,index++)
                  *rpc = *index;
          }
      }
--- 272,297 ----

      while(index < end)
      {
!         /* get the fragment length (31 bits) and move the pointer to the
!            start of the actual data */
!         hdrptr = (int *) index;

! #ifndef WORDS_BIGENDIAN
!         length = (int)(htonl(*hdrptr) & 0x7FFFFFFF);
! #else
!         length = (int)(*hdrptr & 0x7FFFFFFF);
! #endif
!         if(length > size)
          {
!             DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "WARNING: rpc_decode 
calculated bad "
!                         "length: %d\n", length););
              return;
          }
          else
          {
              total_len += length;
!             index += 4;
!             for (i=0; i < length; i++,rpc++,index++,hdrptr++)
                  *rpc = *index;
          }
      }
***************
*** 309,324 ****
      /* point to beginning again  */
      rpc = tmpptr;

-     /* Previous code here ignored alignment and assumed length was
-      * would never be over 8 bits long.  Here we replace it with the
-      * following alignment safe code that doesn't ignore length
-      */
-
      /* we need to add header to first 4 bytes  */
!     *rpc++ = (total_len >> 24)|0x8;
!     *rpc++ = (total_len >> 16)&0xff;
!     *rpc++ = (total_len >> 8)&0xff;
!     *rpc++ = total_len&0xff;

      /* set the payload size to reflect the new size */
      size = 4+total_len;
--- 299,309 ----
      /* point to beginning again  */
      rpc = tmpptr;

      /* we need to add header to first 4 bytes  */
!     *rpc++ = (char) 0x80;
!     *rpc++ = (char) 0x0;
!     *rpc++ = (char) 0x0;
!     *rpc = total_len;

      /* set the payload size to reflect the new size */
      size = 4+total_len;


_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus





More information about the Snort-devel mailing list