[Snort-devel] [ snort-Bugs-745451 ] SigSegV in recent CVS

SourceForge.net noreply at ...12...
Fri May 30 09:41:14 EDT 2003


Bugs item #745451, was opened at 2003-05-29 12:44
Message generated for change (Comment added) made by wgxxx
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=745451&group_id=3357

Category: None
Group: None
>Status: Closed
Resolution: None
Priority: 5
Submitted By: WG (wgxxx)
Assigned to: Nobody/Anonymous (nobody)
Summary: SigSegV in recent CVS

Initial Comment:
Snort somehow has a problem with SegFaults:

Program received signal SIGSEGV, Segmentation fault.
0x08061c0e in fpAddMatch (omd=0x0, otnx=0x87ffbe8,
pLen=9) at fpdetect.c:318
318         evalIndex =
otnx->otn->rtn->listhead->ruleListNode->evalIndex;

bt:
#0  0x08061c0e in fpAddMatch (omd=0x0, otnx=0x87ffbe8,
pLen=9)
    at fpdetect.c:318
#1  0x08061328 in otnx_match (id=0, index=270,
data=0x80b145c)
    at fpdetect.c:630
#2  0x08062cea in mwmSearchExBC (ps=0x89945d0, 
    Tx=0x80b1580 "\004", '\001' <repeats 96 times>,
"ÜÉ°Bë\016\001\001\001\001\001\001\001P®B\001P®B\220\220\220\220\220\220\220\220HÜÉ°B¸\001\001\001\0011ɱ\030Pâý5\001\001\001\005P\211åQH.DLLHEL32HKERNQHOUNTHICKCHGETTF¹LLQH32.DHWS2_F¹E"...,
n=376, 
    Tc=0x8200184 "\004", '\001' <repeats 96 times>,
"ÜÉ°Bë\016\001\001\001\001\001\001\001p®B\001p®B\220\220\220\220\220\220\220\220hÜÉ°B¸\001\001\001\0011ɱ\030Pâý5\001\001\001\005P\211åQh.dllhel32hkernQhounthickChGetTf¹llQh32.dhws2_f¹e"...,
match=0x8061290 <otnx_match>, data=0x80b145c) at mwm.c:1072
#3  0x080633f2 in mwmSearch (pv=0x89945d0, 
    T=0x8200184 "\004", '\001' <repeats 96 times>,
"ÜÉ°Bë\016\001\001\001\001\001\001\001p®B\001p®B\220\220\220\220\220\220\220\220hÜÉ°B¸\001\001\001\0011ɱ\030Pâý5\001\001\001\005P\211åQh.dllhel32hkernQhounthickChGetTf¹llQh32.dhws2_f¹e"...,
n=376, match=0x8061290 <otnx_match>, data=0x80b145c) at
mwm.c:1404
#4  0x08061ac7 in fpEvalHeaderSW (port_group=0x87ffbf8,
p=0xbffff1e0, 
    check_ports=1) at fpdetect.c:943
#5  0x080616be in fpEvalHeaderUdp (p=0x0) at
fpdetect.c:1072
#6  0x08061477 in fpEvalPacket (p=0x0) at fpdetect.c:1302
#7  0x0805de99 in Detect (p=0x0) at detect.c:301
#8  0x0805db85 in Preprocess (p=0x89945c0) at detect.c:104
#9  0x080585c8 in ProcessPacket (user=0x0, pkthdr=0x0,
pkt=0x0) at snort.c:596
#10 0x0808364b in pcap_read_packet ()
#11 0x08084af7 in pcap_loop ()
#12 0x08059a74 in InterfaceThread (arg=0x0) at snort.c:1526
#13 0x080581c4 in SnortMain (argc=0, argv=0x0) at
snort.c:538
#14 0x08057eab in main (argc=0, argv=0x0) at snort.c:166
#15 0x400a7ca6 in __libc_start_main (main=0x8057e90
<main>, argc=5, 
    ubp_av=0xbffff874, init=0x808e930 <__libc_csu_init>, 
    fini=0x808e960 <__libc_csu_fini>,
rtld_fini=0x40015840 <_rtld_local>, 
    stack_end=0x80b145c) at
../sysdeps/generic/libc-start.c:152


----------------------------------------------------------------------

>Comment By: WG (wgxxx)
Date: 2003-05-30 18:27

Message:
Logged In: YES 
user_id=334968

Well, I use the standart cvs rules:
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

But after recompiling snort, I never get this segmentation
fault any more. I think this was somehow a compilation problem!

----------------------------------------------------------------------

Comment By: Andrew R. Baker (andrewbaker)
Date: 2003-05-29 16:07

Message:
Logged In: YES 
user_id=308707

We need the following information in order to investigate this:

Operating System version and distribution
Configuration information

Since this is most likely a bug in how the configuration is
parsed into the rule tree, a complete copy of the
configuration is essential to finding the problem.

----------------------------------------------------------------------

Comment By: WG (wgxxx)
Date: 2003-05-29 13:36

Message:
Logged In: YES 
user_id=334968

It seems that otnx->otn->rtn->listhead is not defined!
print *otnx->otn->rtn
$54 = {rule_func = 0x869d758, head_node_number = 0, type =
0, sip = 0x0, 
  dip = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag
= 0, hdp = 0, 
  ldp = 0, flags = 0, active_flag = 0, activation_counter =
0, countdown = 0, 
  activate_list = 0x0, right = 0x0, down = 0x869dde0,
listhead = 0x0}

The old version 
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/fpdetect.c.diff?r1=1.5&r2=1.6
was much more fault tolerant, but wasn't much better I
think!("print otnx->otn->type $55 = 1202")

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=745451&group_id=3357




More information about the Snort-devel mailing list