[Snort-devel] Two bug in Snort ARPspoof Preprocessor

ey4s at ...2599... ey4s at ...2599...
Mon Aug 9 06:26:10 EDT 2004


hi,

spp_arpspoof.c (Version 0.1.3)

-= BUG1 -=

line123: static IPMacEntryList *ipmel;
line144: RegisterPreprocessor("arpspoof_detect_host", ARPspoofHostInit);

line205: 
void ARPspoofHostInit(u_char *args)
{
    DEBUG_WRAP(DebugMessage(DEBUG_INIT, 
            "Preprocessor: Arpspoof (overwrite list) Initialized\n"););

    ipmel = (IPMacEntryList *)SnortAlloc(sizeof(IPMacEntryList));  !!!!!

    /* parse the argument list from the rules file */
    ParseARPspoofHostArgs(args);

    check_overwrite = 1;
    return;
}

Every time when snort call function ARPspoofHostInit()  to Parse the
args, it alloc memory for ipmel, rewrite the old one. It will cause
memory leak and lose the ip-mac information , only remain the last one.

-= BUG2 -=
LINE388:

        if ((!memcmp((u_int8_t *)p->eh->ether_src, 
                (u_int8_t *)ipme->mac_addr, 6)) || 
                (!memcmp((u_int8_t *)p->ah->arp_sha, 
                (u_int8_t *)ipme->mac_addr, 6)))

  I think it should be:
        if ((memcmp((u_int8_t *)p->eh->ether_src, 
                (u_int8_t *)ipme->mac_addr, 6)) || 
                (memcmp((u_int8_t *)p->ah->arp_sha, 
                (u_int8_t *)ipme->mac_addr, 6)))

Best Reagards!

eyas
www.xfocus.net




More information about the Snort-devel mailing list