[Snort-devel] Memoryallocationbug for flowbits?

Steven Sturges steve.sturges at ...402...
Thu Dec 15 08:31:00 EST 2005


There is no heap corruption with this... Its an odd
use of an array, but there aren't any problems with
it.

The flow entry in the hash table is allocated to be
sizeof(FLOW) -- which includes the single byte PLUS it
includes the extra space of giFlowbitSize (less 1 byte).
This is done in the flowcache_init() function.

So, when a new node is retrieved, the entire FLOW data
struct is zero'd and the location of the flowbits (that
char array that includes the extra space) has the correct
size.

Cheers.
-steve

LumpiStefan at ...578... wrote:
> Hello Mailinglist.
> 
> I have sorted out a little problem with snort (all versions incl. actuel
> verison 2.4.3) and using the flowbits. So I've started investigating the
> source code. Here I found a little problem, so i patched it (find patch
> below)....
> 
> Now what have i seen?
> In the src/preprocessor/flow/flow_cache.c for every new flow the
> flowcache_newflow function is called. In this function there is called
> another function (init_flowdata) to initialize all for the flowbits.
> This init_flowdata function now uses the bitop operation to set all to 0.
> The boInitStaticBITOP is defined as static INLINE int
> boInitStaticBITOP(BITOP *BitOp,int iBytes,unsigned char *buf) and sets for a
> length of iBytes the memory of buf to 0.
> But when we take a look at the FLOW struct, we have following layout:
> 
> FLOW contains FLOWKEY key, FLOWSTATS stats and FLOWDATA data.
> FLOWDATA data contains BITOP boFlowbits and unsigned char flowb[1].
> BITOP boFlowbits contains unsigned char *pucBitBuffer, unsigned int
> uiBitBufferSize and unsigned int uiMaxBits.
> 
> For the boInitStaticBITOP is used for 3. parameter the unsigned char
> flowb[1]. Here is written more than 1 byte to 0, so we overwrite some other
> data in the heap.
> I think, it shouldn't be this character array with one fild that is used to
> initialize, but it should be the character pointer in the BITOP struct. This
> character is used for checking, settings, ... of the flowbits.
> 
> So icreated this patch, and all was working fine for me. Can anyone confirm
> my theory and if yes could the fix be included for the next releases?!?!
> 
> 
> Best Regards
> 
> Stefan
> 
> 
> diff -Naur snort-2.4.3/src/preprocessors/flow/flow_cache.c
> snort-2.4.3_patched/src/preprocessors/flow/flow_cache.c
> --- snort-2.4.3/src/preprocessors/flow/flow_cache.c     Mon Apr 11 22:23:45
> 2005
> +++ snort-2.4.3_patched/src/preprocessors/flow/flow_cache.c     Tue Dec  6
> 15:41:54 2005
> @@ -188,11 +188,12 @@
> 
>  int init_flowdata(FLOWCACHE *fcp, FLOW *flowp)
>  {
> +
>      if(!flowp || !fcp)
>          return 1;
> -
> +
>      if(boInitStaticBITOP(&(flowp->data.boFlowbits),
> fcp->max_flowbits_bytes,
> -                         flowp->data.flowb))
> +                         &(flowp->data.boFlowbits.pucBitBuffer)))
>      {
>          return 1;
>      }
> 
> 
> 





More information about the Snort-devel mailing list