[Snort-devel] Memoryallocationbug for flowbits?

LumpiStefan at ...578... LumpiStefan at ...578...
Tue Dec 6 23:40:06 EST 2005

Hello Mailinglist.

I have sorted out a little problem with snort (all versions incl. actuel
verison 2.4.3) and using the flowbits. So I've started investigating the
source code. Here I found a little problem, so i patched it (find patch

Now what have i seen?
In the src/preprocessor/flow/flow_cache.c for every new flow the
flowcache_newflow function is called. In this function there is called
another function (init_flowdata) to initialize all for the flowbits.
This init_flowdata function now uses the bitop operation to set all to 0.
The boInitStaticBITOP is defined as static INLINE int
boInitStaticBITOP(BITOP *BitOp,int iBytes,unsigned char *buf) and sets for a
length of iBytes the memory of buf to 0.
But when we take a look at the FLOW struct, we have following layout:

FLOW contains FLOWKEY key, FLOWSTATS stats and FLOWDATA data.
FLOWDATA data contains BITOP boFlowbits and unsigned char flowb[1].
BITOP boFlowbits contains unsigned char *pucBitBuffer, unsigned int
uiBitBufferSize and unsigned int uiMaxBits.

For the boInitStaticBITOP is used for 3. parameter the unsigned char
flowb[1]. Here is written more than 1 byte to 0, so we overwrite some other
data in the heap.
I think, it shouldn't be this character array with one fild that is used to
initialize, but it should be the character pointer in the BITOP struct. This
character is used for checking, settings, ... of the flowbits.

So icreated this patch, and all was working fine for me. Can anyone confirm
my theory and if yes could the fix be included for the next releases?!?!

Best Regards


diff -Naur snort-2.4.3/src/preprocessors/flow/flow_cache.c
--- snort-2.4.3/src/preprocessors/flow/flow_cache.c     Mon Apr 11 22:23:45
+++ snort-2.4.3_patched/src/preprocessors/flow/flow_cache.c     Tue Dec  6
15:41:54 2005
@@ -188,11 +188,12 @@

 int init_flowdata(FLOWCACHE *fcp, FLOW *flowp)
     if(!flowp || !fcp)
         return 1;
-                         flowp->data.flowb))
+                         &(flowp->data.boFlowbits.pucBitBuffer)))
         return 1;

10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++

More information about the Snort-devel mailing list