[Snort-devel] Bug in sfxhash.c::sfxhash_add()?

Sandro Poppi spoppi at ...224...
Mon Nov 14 12:57:08 EST 2005


I ran into an issue when debugging a segfault in my sfportscan patch I 
introduced with snort-idmef but which I think may be already existing in 
the function sfxhash_add() in sfxhash.c (or I did something misinterpret):

snort-2.4.3 (unpatched) on linux x86 kernel-smp-2.6.14-1.1637_FC4
default snort.conf as shipped

In portscan.c::ps_tracker_get() sfxhash_add(g_hash, (void *)key, 
&new_ht) is called in line 472 with new_ht of type PS_TRACKER which has 
a size of 72 bytes.

In sfxhash_add() the formerly PS_TRACKER* parameter is converted to 
void* named "data". In the same function line 690 "data" is copied to a 
newly created (or reused) hnode object using memcpy(hnode->data, data, 
t->datasize) with t->datasize being 276 which is more than the original 
72 bytes of a PS_TRACKER which is odd but seems to be "tolerated" 
(because of stack size of 4k e.g?).

My patch creates more data (sizeof PS_TRACKER = 1264, t->datasize = 
5044) and in some cases segfaults at the memcpy().

Is the behaviour "as designed" or maybe a real bug?

Thank you for your time,

More information about the Snort-devel mailing list