[Snort-devel] [patch] src/decode.c: HDLC big-endian/little-endian ETHERNET_TYPE_IP detect fix

Steven Sturges steve.sturges at ...402...
Fri Mar 14 16:03:53 EDT 2008


Thanks, Jay... We'll have a look and try to include in
a future release.

Cheers.
-steve

Jay Schulist wrote:
> Hello,
> Attached is a patch against snort-2.8.1.rc that fixes a
> big-endian/little-endian problem while detecting IP packet types in
> HDLC packets. The old code assumes little endian and breaks on
> anything that is big endian. I'm hoping that you could apply this
> patch so the fix is included in future snort releases.
> 
> Please let me know if there are any problems with this patch that will
> bar it from being accepted, I'll be happy to make any changes
> required.
> 
> Thank you,
> Jay Schulist
> 
> diff -ruN snort-2.8.1.rc.orig/src/decode.c snort-2.8.1.rc/src/decode.c
> --- snort-2.8.1.rc.orig/src/decode.c	2008-03-04 12:13:19.000000000 -0800
> +++ snort-2.8.1.rc/src/decode.c	2008-03-14 10:22:58.000000000 -0700
> @@ -2229,7 +2229,7 @@
>      DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"););
> 
>      if ((pkt[0] == CHDLC_ADDR_UNICAST || pkt[0] == CHDLC_ADDR_MULTICAST) &&
> -           ntohs((u_int16_t)(pkt[2] | pkt[3] << 8)) == ETHERNET_TYPE_IP)
> +           ntohs(*(u_int16_t *)&pkt[2]) == ETHERNET_TYPE_IP)
>      {
>          DecodeIP(p->pkt + CHDLC_HEADER_LEN,
>                   p->pkth->caplen - CHDLC_HEADER_LEN, p);
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list