[Snort-devel] Re: [Snort-users] Bus error on sparc

Michael Bell michael.bell at ...1979...
Fri May 16 00:41:08 EDT 2003


Andrew R. Baker wrote:

> A better fix may be to do what pcap does for these cases.  When 
> constructing the pseudo packet, offset the start of the packet by N 
> bytes (where N = number of bytes to make the link layer portion *end* on 
> a word boundary).  I do this in Barnyard for *all* packets regardless of 
> what platform we are running on

Is there no other way? This would require several fixes in decode.c.

If you read decode.c carefully then you will see that there are several 
calls of this type:

DecodeXYZ (p->pkt + ABC_HEADER_LEN, ...)

Every such call without a verification of the address is a potential 
alignmentbug. So perhaps we have some luck and other headers than 
ethernet which are divisible by 4 but if not then there is a problem 
too. It looks like hardwareoriented headers are really optimized. 
Another option is that the direct use of integerfields in the headers 
was never planned by the snort developers.

I checked barnyard but I cannot find the code where you fix the 
alignment. Can you give an advice? I only find a macro EXTRACT_32BITS 
which do nearly the same like my function get_u_int32_t. This would fix 
the address problems.

Another idea is the kind of the bug in DecodeUDP. It happens during an 
assignment but

u_int32_t i = p->value;

is the same like

memcpy (&i, &p->value, sizeof (u_int32_t));

... except of the alignment problems.

So what should I do with decode.c? I attached a much more simple patch 
but why the code fails only for these to integers?

Michael

P.S. the diff for spp_stream4.c is still the same.
-- 
-------------------------------------------------------------------
Michael Bell                   Email: michael.bell at ...1979...
ZE Computer- und Medienservice            Tel.: +49 (0)30-2093 2482
(Computing Centre)                        Fax:  +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin                   Email (private): michael.bell at ...1980...
Germany                                       http://www.openca.org
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: decode.diff
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030516/11c985ee/attachment.ksh>


More information about the Snort-devel mailing list