[Snort-devel] snort crash on misconfig'd snort.conf

Thomas Washeim hakke_007 at ...578...
Sat Mar 11 04:50:02 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello *,
testing snort I realized that it can crash if it finds a preprocessor
rule that looks like this:

'preprocessor
flow'

(without the ticks of course). I know that this is not a correct rule
but I find it quite inconvinient that snort crashes hard with a SIGSEGV.
I attached a patch for snort 2.4.4 and one for 2.6 that I co'd from the
current cvs tree.
The patch also contains a suggestion how to make xlink2state/dynamic
preprocessor smtp less greedy with memory (it uses an array of 65536 int
values for the port configuration which is quite wasteful, it can do
with a 32th of that).
Please note that for 2.4.x the mini preprocessor xlink2state is one int
short for the port list, so port 65535 cannot be activated reliably!

Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEEsg62/ggQBUI/skRAh62AJ9ks2J6/An7Y0IzsDUHnITg2kb0XACeKiQA
Qg667DHauFUOyEFCyljzKQg=
=2LPh
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch_2.4.4.diff
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060311/692f635c/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch_2.6.diff
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060311/692f635c/attachment-0001.ksh>


More information about the Snort-devel mailing list