[Snort-devel] Stream4/Stream5 conf parser fixes

Steven Sturges steve.sturges at ...402...
Tue Jul 24 10:14:14 EDT 2007


Thanks, Joel.

We'll have a look at these areas and ensure that the configuration
values are properly validated in a future version.

Cheers.
-steve

Joel Ebrahimi wrote:
> Some of the options when not properly configured in  Stream5 and Stream4 cause segfaulting.
> This is similar to some of the fixes made before. Not a big deal as the segfaulting is happening as the conf is parsed, but this will prevent that and display messages useful to the user as to where they went wrong.
>  
> diff -Naur snort-2.7.0-old/src/preprocessors/spp_stream4.c snort-2.7.0/src/preprocessors/spp_stream4.c
> --- snort-2.7.0-old/src/preprocessors/spp_stream4.c 2007-07-03 14:41:46.000000000 -0600
> +++ snort-2.7.0/src/preprocessors/spp_stream4.c 2007-07-24 00:04:29.000000000 -0600
> @@ -1151,7 +1151,15 @@
>          }
>          else if(!strcasecmp(stoks[0], "timeout"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1])
> +            {
> +                LogMessage("WARNING %s(%d) => Missing timeout in config file, "
> +                           "defaulting to %d seconds\n", file_name, file_line, 
> +                           PRUNE_QUANTA);
> +
> +                s4data.timeout = PRUNE_QUANTA;
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.timeout = atoi(stoks[1]);
>              }
> @@ -1166,7 +1174,12 @@
>          }
>          else if(!strcasecmp(stoks[0], "memcap"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1]) 
> +            {
> +                FatalError("%s(%d) => Missing memcap in config file\n",
> +                           file_name, file_line);
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.memcap = atoi(stoks[1]);
>  
> @@ -1181,13 +1194,18 @@
>              }
>              else
>              {
> -                FatalError("%s(%d) => Bad memcap in config file, %d\n",
> +                FatalError("%s(%d) => Bad memcap in config file\n",
>                             file_name, file_line);
>              }
>          }
>          else if(!strcasecmp(stoks[0], "max_sessions"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1])
> +            {
> +                FatalError("%s(%d) => Missing max_sessions in config file\n",
> +                           file_name, file_line);
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.max_sessions = atoi(stoks[1]);
>  
> @@ -1202,8 +1220,8 @@
>              }
>              else
>              {
> -                FatalError("%s(%d) => Bad max_sessions in config file, %d\n",
> -                           file_name, file_line);
> +                FatalError("%s(%d) => Bad max_sessions in config file\n",
> +                           file_name, file_line]);
>              }
>          }
>  #ifdef STREAM4_UDP
> @@ -1213,7 +1231,12 @@
>          }
>          else if(!strcasecmp(stoks[0], "max_udp_sessions"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1]) 
> +            {
> +                FatalError("%s(%d) => Missing max_udp_sessions in config file\n",
> +                           file_name, file_line);
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.max_udp_sessions = atoi(stoks[1]);
>  
> @@ -1228,7 +1251,7 @@
>              }
>              else
>              {
> -                FatalError("%s(%d) => Bad max_udp_sessions in config file, %d\n",
> +                FatalError("%s(%d) => Bad max_udp_sessions in config file\n",
>                             file_name, file_line);
>              }
>          }
> @@ -1262,7 +1285,12 @@
>  #endif
>          else if(!strcasecmp(stoks[0], "cache_clean_sessions"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1]) 
> +            {
> +                FatalError("%s(%d) => Missing cache cleanup value in "
> +                           "config file\n", file_name, file_line);
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.cache_clean_sessions = atoi(stoks[1]);
>                  if (s4data.cache_clean_sessions < 1)
> @@ -1278,7 +1306,6 @@
>              {
>                  FatalError("%s(%d) => Bad cache cleanup value in "
>                             "config file\n", file_name, file_line);
> -
>              }
>          }
>          else if(!strcasecmp(stoks[0], "ttl_limit"))
> @@ -1312,7 +1339,15 @@
>          }
>          else if(!strcasecmp(stoks[0], "self_preservation_threshold"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1]) 
> +            {
> +                LogMessage("WARNING %s(%d) => Missing sp_threshold in config file, "
> +                           "defaulting to %d new sessions/second\n", file_name, 
> +                           file_line, SELF_PRES_THRESHOLD);
> +
> +                s4data.sp_threshold = SELF_PRES_THRESHOLD;
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.sp_threshold = atoi(stoks[1]);
>              }
> @@ -1327,11 +1362,20 @@
>          }
>          else if(!strcasecmp(stoks[0], "self_preservation_period"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1])   
> +            {
> +                LogMessage("WARNING %s(%d) => Missing sp_period in config file, "
> +                           "defaulting to %d seconds\n", file_name, file_line, 
> +                           SELF_PRES_PERIOD);
> +
> +                s4data.sp_period = SELF_PRES_PERIOD;
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.sp_period = atoi(stoks[1]);
>              }
> -            else            {
> +            else   
> +            {
>                  LogMessage("WARNING %s(%d) => Bad sp_period in config file, "
>                             "defaulting to %d seconds\n", file_name, file_line, 
>                             SELF_PRES_PERIOD);
> @@ -1341,7 +1385,15 @@
>          }
>          else if(!strcasecmp(stoks[0], "suspend_threshold"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1]) 
> +            {
> +                LogMessage("WARNING %s(%d) => Missing suspend_threshold in config "
> +                        "file, defaulting to %d new sessions/second\n", 
> +                        file_name, file_line, SUSPEND_THRESHOLD);
> +
> +                s4data.suspend_threshold = SUSPEND_THRESHOLD;
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.suspend_threshold = atoi(stoks[1]);
>              }
> @@ -1356,7 +1408,15 @@
>          }
>          else if(!strcasecmp(stoks[0], "suspend_period"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1]) 
> +            {
> +                LogMessage("WARNING %s(%d) => Missing suspend_period in config file, "
> +                           "defaulting to %d seconds\n", file_name, file_line, 
> +                           SUSPEND_PERIOD);
> +
> +                s4data.suspend_period = SUSPEND_PERIOD;
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.suspend_period = atoi(stoks[1]);
>              }
> @@ -1390,7 +1450,12 @@
>          }
>          else if(!strcasecmp(stoks[0], "server_inspect_limit"))
>          {
> -            if(isdigit((int)stoks[1][0]))
> +            if(!stoks[1]) 
> +            {
> +                FatalError("WARNING %s(%d) => Missing server_inspect_limit in "
> +                           "config file\n", file_name, file_line);
> +            }
> +            else if(isdigit((int)stoks[1][0]))
>              {
>                  s4data.server_inspect_limit = atoi(stoks[1]);
>              }
> @@ -1411,7 +1476,6 @@
>          }
>  
>          mSplitFree(&stoks, s_toks);
> -
>          i++;
>      }
>  
> diff -Naur snort-2.7.0-old/src/preprocessors/Stream5/snort_stream5_tcp.c snort-2.7.0/src/preprocessors/Stream5/snort_stream5_tcp.c
> --- snort-2.7.0-old/src/preprocessors/Stream5/snort_stream5_tcp.c 2007-07-06 09:32:07.000000000 -0600
> +++ snort-2.7.0/src/preprocessors/Stream5/snort_stream5_tcp.c 2007-07-23 23:50:28.000000000 -0600
> @@ -972,6 +972,11 @@
>              }
>              else if(!strcasecmp(stoks[0], "policy"))
>              {
> +                if (!stoks[1] || (endPtr == &stoks[1][0]))
> +                {
> +                    FatalError("%s(%d) => Invalid Policy in config file. A Policy ID is required\n", file_name, file_line);
> +                }
> +
>                  s5TcpPolicy->policy = StreamPolicyIdFromName(stoks[1]);
>  
>                  if ((s5TcpPolicy->policy == STREAM_POLICY_DEFAULT) &&
> @@ -1025,6 +1030,11 @@
>              }
>              else if(!strcasecmp(stoks[0], "bind_to"))
>              {
> +                if (!stoks[1] || (endPtr == &stoks[1][0]))
> +                {
> +                    FatalError("%s(%d) => Invalid Bind To address space in config file. IP address or network required\n", file_name, file_line);
> +                }
> +
>                  s5TcpPolicy->bound_addrs = IpAddrSetParse(stoks[1]);
>                  if (s_toks > 2)
>                  {
> 
> 
>  
> 
>  
> 
> //Joel 
> 
>  
> StillSecure
> Joel Ebrahimi
> Senior Software Engineer
> 
> C 805.570.8311
> 
> http://www.stillsecure.com/ <https://webmail.latis.com/exchweb/bin/redir.asp?URL=http://www.stillsecure.com/> 
> The information transmitted is intended only for the person
> to whom it is addressed and may contain confidential material.
> Review or other use of this information by persons other than
> the intended recipient is prohibited. If you've received
> this in error, please contact the sender and delete
> from any computer. 
>  
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list