[Snort-devel] Bug in sfxhash.c::sfxhash_add()?
spoppi at ...224...
Mon Nov 14 12:57:08 EST 2005
I ran into an issue when debugging a segfault in my sfportscan patch I
introduced with snort-idmef but which I think may be already existing in
the function sfxhash_add() in sfxhash.c (or I did something misinterpret):
snort-2.4.3 (unpatched) on linux x86 kernel-smp-2.6.14-1.1637_FC4
default snort.conf as shipped
In portscan.c::ps_tracker_get() sfxhash_add(g_hash, (void *)key,
&new_ht) is called in line 472 with new_ht of type PS_TRACKER which has
a size of 72 bytes.
In sfxhash_add() the formerly PS_TRACKER* parameter is converted to
void* named "data". In the same function line 690 "data" is copied to a
newly created (or reused) hnode object using memcpy(hnode->data, data,
t->datasize) with t->datasize being 276 which is more than the original
72 bytes of a PS_TRACKER which is odd but seems to be "tolerated"
(because of stack size of 4k e.g?).
My patch creates more data (sizeof PS_TRACKER = 1264, t->datasize =
5044) and in some cases segfaults at the memcpy().
Is the behaviour "as designed" or maybe a real bug?
Thank you for your time,
More information about the Snort-devel