[Snort-devel] Solaris race condition: Diagnosis and solution

Greg Baran GBaran at ...2896...
Tue Dec 5 19:39:36 EST 2006


Hello Snort Developers:

 

The Problem:

 

We needed to set up snort to run as a Solaris 10 service in a production
environment. We set snort up to run in daemon mode under the Solaris
service model. And we quickly ran into problems. Sometimes the snort
daemon process would start running correctly, other times it would
silently fail, reporting that it had received the SIGPROF signal. It
seemed very odd that this signal should have been asserted.

 

The Diagnosis and Solution:

 

Through a combination of printf and Solaris's dtrace, it was discovered
that there is a race condition involving the fork() of the child process
in the GoDaemon() function of util.c. The timing of signals under
Solaris 10 is quite different from that of many forms of Linux. As the
code stood originally, the child process can signal the parent before it
is prepared to catch the signal. Moving the call to signal() above the
fork() solves this problem on Solaris 10.

 

Looking at my modifications now, the signal() call probably belongs
between the test of getppid() and the call to fork(). No harm the way it
is, but the following is probably more nearly correct:

 

    if(getppid() != 1)

    {

        signal(SIGNAL_SNORT_CHILD_READY, SigChildReadyHandler);

        if (errno != 0) errno=0;

        fs = fork();

 

Secondary Issue:

 

The snort.h file defines SIGNAL_SNORT_ROTATE_STATS and
SIGNAL_SNORT_CHILD_READY as simple integer constants. This caused the
original confusion about what was happening with the failure of the
daemon initialization since signal 29 happens to be SIGPROF in Solaris
10. To avoid this confusion, I changed the value from 29 to SIGUSR2.

 

Solaris Services:

 

I have also included the two files needed to run snort as an SMF
service, the manifest app-snort.xml file and the app-snort module shell
script file. Consult Sun SMF documentation on their use.

 

Included:

 

I have included a tar file that has the changed versions of snort.c,
snort.h, and util.c, a diffs file, and the SMF files.

 

Hoping this helps,

Greg Baran

 

 

 

 

 



--
Confidential: This email is intended only for the person or entity to 
which it is addressed. The information contained in this email may be 
confidential and privileged. Any retransmission, review, dissemination or 
other use of, or taking of any action in reliance upon, this information 
by persons or entities other than the intended recipient is prohibited. 
If you received this email in error, please let us know by reply and 
destroy all copies of it. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20061206/cdbceb17/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racebug.tar
Type: application/x-tar
Size: 194560 bytes
Desc: racebug.tar
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20061206/cdbceb17/attachment.tar>


More information about the Snort-devel mailing list