[Snort-devel] [patch] src/decode.c: HDLC big-endian/little-endian ETHERNET_TYPE_IP detect fix

Jay Schulist jjschlst at ...2499...
Fri Mar 14 13:35:46 EDT 2008

Attached is a patch against snort-2.8.1.rc that fixes a
big-endian/little-endian problem while detecting IP packet types in
HDLC packets. The old code assumes little endian and breaks on
anything that is big endian. I'm hoping that you could apply this
patch so the fix is included in future snort releases.

Please let me know if there are any problems with this patch that will
bar it from being accepted, I'll be happy to make any changes

Thank you,
Jay Schulist

diff -ruN snort-2.8.1.rc.orig/src/decode.c snort-2.8.1.rc/src/decode.c
--- snort-2.8.1.rc.orig/src/decode.c	2008-03-04 12:13:19.000000000 -0800
+++ snort-2.8.1.rc/src/decode.c	2008-03-14 10:22:58.000000000 -0700
@@ -2229,7 +2229,7 @@
     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"););

     if ((pkt[0] == CHDLC_ADDR_UNICAST || pkt[0] == CHDLC_ADDR_MULTICAST) &&
-           ntohs((u_int16_t)(pkt[2] | pkt[3] << 8)) == ETHERNET_TYPE_IP)
+           ntohs(*(u_int16_t *)&pkt[2]) == ETHERNET_TYPE_IP)
         DecodeIP(p->pkt + CHDLC_HEADER_LEN,
                  p->pkth->caplen - CHDLC_HEADER_LEN, p);

More information about the Snort-devel mailing list