[Snort-devel] Getting bus errors on the Sparc - SPARC_TWIDDLE?

Eloy A. Paris peloy at ...2034...
Mon Jun 16 20:55:13 EDT 2003


Hi!

I am getting 100% reproducible bus errors when running Snort 2.0.0 on
the Sparc (Linux).

The problem is that Snort is trying to write a 32-bit value (an IP
address, actually) to a non-aligned address. The crash happens around
line 3933 (+/- a couple of lines since I added some debug statements) of
src/preprocessors/spp_stream4.c:

        stream_pkt->iph->ip_src.s_addr = p->iph->ip_dst.s_addr;

The pointer to an IP header stream_pkt->iph contains a non-word aligned
address, so this statement causes a bus error on the Sparc.

stream_pkt->iph is initialized like this:

    stream_pkt->pkt = ((u_int8_t *)stream_pkt->pkth) + sizeof(SnortPktHeader);
    stream_pkt->eh = (EtherHdr *)((u_int8_t *)stream_pkt->pkt + SPARC_TWIDDLE);
    stream_pkt->iph = (IPHdr *)((u_int8_t *)stream_pkt->eh +
                      ETHERNET_HEADER_LEN);

Under Linux SPARC_TWIDDLE is 0, so stream_pkt->pkt == stream_pkt->eh,
which are word-aligned. Now, since ETHERNET_HEADER_LEN is 14,
stream_pkt->iph ends up non-aligned, which causes the bus error when
trying to write a 32-bit word to that address.

My question is: why not set SPARC_TWIDDLE to 2 in all cases, not just
for SOLARIS || SUNOS || HPUX? In any case, I think it is not correct to
set it to 2 based on Operating System, since Solaris runs on both Sparc
and Intel processors, and so does Linux. This "twiddle" should be set
based on the target architecture, IMHO.

Cheers,

Eloy.-





More information about the Snort-devel mailing list