[Snort-devel] Bus Error with 2.6 Beta on PA-RISC2/HPUX 11i

James Pendergrass jpenderg at ...2886...
Wed Jun 28 11:09:22 EDT 2006


List,
I have solved my HPUX/PA-RISC sig bus problem.
The fix for Sparc/Solaris does the trick,  the problem it is not enabled
by default for HPUX (although the attempt is made).  In the file
src/decode.h, lines 795 through 799 define the macro SPARC_TWIDDLE:

    795 #if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
    796 #define SPARC_TWIDDLE       2
    797 #else
    798 #define SPARC_TWIDDLE       0
    799 #endif

This value is added to the buffer base address when saving packets, to
ensure that alignments work out right.  The problem is that the gcc
4.1.1 compiler distributed by HP does not define the HPUX macro, so
SPARC_TWIDDLE is set to 0 rather than 2.  Changing the macro to
_HPUX_SOURCE solves this problem,  as would defining the HPUX macro
1) somewhere in config.h  

A similar problem occurs in src/log.h at line 32.

Other minor HPUX notes (for those interested) include:
1) struct sockaddr_ext used by net/if6.h is only defined if _XOPEN_SOURCE_EXTENDED is undefined.  
	I'm not sure exactly what other effects this macro has, but unsetting it causes compilation
	to succeed.
2) in src/dynamic-plugins/sf_dynamic_plugins.c including dlfcn at line 55 causes numerous errors.
	specifically gcc fails to parse:
		typedef unsigned long long UINT64;  
	at line 66.  Instead numerous errors are reported about extra "unsigned" keyword,  and 
	"long long long" being too long for gcc.

	Moving the #include directive above all other includes in sf_dynamic_plugins.c fixes this error

Other than the above issues (and the .sl/.so issue referenced previously) 
snort compiles and runs fairly cleanly.

If you would like exact error messages for any of the above let me know and I'll regenerate them.

Thanks for your help and guidance.
-aaron


On Tue, Jun 27, 2006 at 09:05:08AM -0400, James Pendergrass wrote:
> Steve,
> Thanks for the quick response.  
> It turns out I am using the final 2.6.0 release not the beta (my mistake).
> When I get some free time I'll take a closer look at what might be causing this problem
> and try to come up with a small patch.
> 
> Note: I expect this is a PA-RISC problem and not unique to HPUX (i.e. NetBSD on PA-RISC
> should experience it too),  but I have no real evidence to back that up.
> 
> Thanks again for the quick response.
> -aaron
> 
> On Tue, Jun 27, 2006 at 08:49:29AM -0400, Steven Sturges wrote:
> > Hello James--
> > 
> > HPUX is not an officially supported platform, but I'd
> > recommend syncing up to Snort 2.6.0 Final (it was released
> > a few weeks ago).
> > 
> > There were some changes made to support Solaris platform
> > in Stream4 and those may resolve the problem you are seeing
> > on HP.
> > 
> > We'll look into the shared library extension issue.
> > 
> > Cheers.
> > -steve
> > 
> > James Pendergrass wrote:
> > > Hello, 
> > > I've been trying to get snort 2.6 beta up and running on an HP Visualize
> > > B1000 Workstation running HPUX 11i.  I've got everything compiled and
> > > going, but have been receiving a Bus Error when snort runs.
> > > 
> > > I think the problem is the same as the problem described on the SPARC
> > > architecture in the post:
> > > http://sourceforge.net/mailarchive/message.php?msg_id=12609196
> > > 
> > > The problem does not occur if the stream4_reassemble preprocessor is not
> > > enabled.  
> > > 
> > > I have seen the BusError triggered from two different places.
> > > The stack trace of the first observed error confirms my belief that the issue is similar
> > > to the one described in the post referenced above:
> > > #0  0xa8b8 in IPHdrTests ()
> > > #1  0xc794 in DecodeIP ()
> > > #2  0xe138 in DecodeEthPkt ()
> > > #3  0x4e3a0 in FlushDeletedStream ()
> > > #4  0x4e51c in DropSession ()
> > > #5  0x4e5c8 in DeleteSession ()
> > > #6  0x5e81c in CleanHashTable ()
> > > #7  0x5e8a4 in PruneSessionCache ()
> > > #8  0x50544 in ReassembleStream4 ()
> > > #9  0x288e4 in Preprocess ()
> > > #10 0x204cc in ProcessPacket ()
> > > #11 0x206f4 in PcapProcessPacket ()
> > > #12 0xc23694c0 in __gcc_personality_v0 () from /usr/local/lib/libpcap.sl
> > > #13 0xc236b5a0 in __gcc_personality_v0 () from /usr/local/lib/libpcap.sl
> > > #14 0x207f0 in InterfaceThread ()
> > > #15 0x20efc in SnortMain ()
> > > #16 0x2176c in main ()
> > > 
> > > The other stack trace is slightly different, but also suggests stream4_reassamble as the
> > > culprit (or at least a significant part of the problem):
> > > #0  0x4cd1c in BuildPacket ()
> > > #1  0x4dab4 in FlushStream ()
> > > #2  0x5081c in ReassembleStream4 ()
> > > #3  0x288e4 in Preprocess ()
> > > #4  0x204cc in ProcessPacket ()
> > > #5  0x206f4 in PcapProcessPacket ()
> > > #6  0xc10194c0 in InitializePreprocessor () from /usr/local/lib/libpcap.sl
> > > #7  0xc101b5a0 in InitializePreprocessor () from /usr/local/lib/libpcap.sl
> > > #8  0x207f0 in InterfaceThread ()
> > > #9  0x20efc in SnortMain ()
> > > #10 0x2176c in main ()
> > > 
> > > Can someone confirm that this is a recognized bug and either patch exists or is in the
> > > pipes?  Can someone suggest a workaround?
> > > Thanks.
> > > 
> > > Also,  just to be nitpicky; snort seems to assume dynmic plugins will have a .so extension,
> > > this really ought to be detected at build time and set to the appropriate extension for
> > > the platform.
> > > 
> > > Thanks again,
> > > aaron
> > > 
> > > Using Tomcat but need to do more? Need to support web services, security?
> > > Get stuff done quickly with pre-integrated technology to make your job easier
> > > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > 
> > 
> > 
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list