[Snort-devel] Two bug in Snort ARPspoof Preprocessor

Jeff Nathan jeff at ...835...
Fri Aug 6 15:08:03 EDT 2004


Hi,

Thanks for taking the time to write a clear bug report.  I've been very 
busy and apologize for not responding to your original message.

I've fixed both bugs and attached a patch.

Take care,

-Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_arpspoof.diff.gz
Type: application/x-gzip
Size: 1918 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040806/1f001164/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: spp_arpspoof.diff.gz.asc
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040806/1f001164/attachment.asc>
-------------- next part --------------

On Aug 6, 2004, at 1:51 AM, ey4s at ...2599... wrote:

> hi,
>
> spp_arpspoof.c (Version 0.1.3)
>
> -= BUG1 -=
>
> line123: static IPMacEntryList *ipmel;
> line144: RegisterPreprocessor("arpspoof_detect_host", 
> ARPspoofHostInit);
>
> line205:
> void ARPspoofHostInit(u_char *args)
> {
>     DEBUG_WRAP(DebugMessage(DEBUG_INIT,
>             "Preprocessor: Arpspoof (overwrite list) Initialized\n"););
>
>     ipmel = (IPMacEntryList *)SnortAlloc(sizeof(IPMacEntryList));  
> !!!!!
>
>     /* parse the argument list from the rules file */
>     ParseARPspoofHostArgs(args);
>
>     check_overwrite = 1;
>     return;
> }
>
> Every time when snort call function ARPspoofHostInit()  to Parse the
> args, it alloc memory for ipmel, rewrite the old one. It will cause
> memory leak and lose the ip-mac information , only remain the last one.
>
> -= BUG2 -=
> LINE388:
>
>         if ((!memcmp((u_int8_t *)p->eh->ether_src,
>                 (u_int8_t *)ipme->mac_addr, 6)) ||
>                 (!memcmp((u_int8_t *)p->ah->arp_sha,
>                 (u_int8_t *)ipme->mac_addr, 6)))
>
>   I think it should be:
>         if ((memcmp((u_int8_t *)p->eh->ether_src,
>                 (u_int8_t *)ipme->mac_addr, 6)) ||
>                 (memcmp((u_int8_t *)p->ah->arp_sha,
>                 (u_int8_t *)ipme->mac_addr, 6)))
>
> Best Reagards?
>
> -- 
> eyas
> www.xfocus.net
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source 
> Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>

--
Top security experts.  Cutting edge tools, techniques and information.
Tokyo, Japan   November, 2003   http://www.pacsec.jp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040806/1f001164/attachment.sig>


More information about the Snort-devel mailing list