[Snort-devel] Two bug in Snort ARPspoof Preprocessor

啊 啊 xxx_ey4s at ...954...
Mon Aug 9 06:26:08 EDT 2004


hi,
 
spp_arpspoof.c (Version 0.1.3)
-= BUG1 -=
line123: static IPMacEntryList *ipmel;
line144: RegisterPreprocessor("arpspoof_detect_host", ARPspoofHostInit);
line205: 
void ARPspoofHostInit(u_char *args)
{
    DEBUG_WRAP(DebugMessage(DEBUG_INIT, 
            "Preprocessor: Arpspoof (overwrite list) Initialized\n"););
    ipmel = (IPMacEntryList *)SnortAlloc(sizeof(IPMacEntryList));  !!!!!
    /* parse the argument list from the rules file */
    ParseARPspoofHostArgs(args);
    check_overwrite = 1;
    return;
}
Every time when snort call function ARPspoofHostInit()  to Parse the
args, it alloc memory for ipmel, rewrite the old one. It will cause
memory leak and lose the ip-mac information , only remain the last one.
 
-= BUG2 -=
LINE388:
        if ((!memcmp((u_int8_t *)p->eh->ether_src, 
                (u_int8_t *)ipme->mac_addr, 6)) || 
                (!memcmp((u_int8_t *)p->ah->arp_sha, 
                (u_int8_t *)ipme->mac_addr, 6)))
  I think it should be:
        if ((memcmp((u_int8_t *)p->eh->ether_src, 
                (u_int8_t *)ipme->mac_addr, 6)) || 
                (memcmp((u_int8_t *)p->ah->arp_sha, 
                (u_int8_t *)ipme->mac_addr, 6)))
 
 
Best Reagards!
 
eyas
www.xfocus.net




---------------------------------
Do You Yahoo!?
美女明星应有尽有,"一搜"搜遍美图、艳图和酷图
100兆邮箱够不够用?雅虎电邮自助扩容!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040809/3deb89f0/attachment.html>


More information about the Snort-devel mailing list