[Snort-devel] inBounds() fix less or equal to end ptr

rmkml rmkml at ...879...
Sun Jan 25 14:14:09 EST 2009


Hi,
Im work with snort v2.8.3.2 (and previous) with this rule:
  alert udp any any -> any any (msg:"work1"; isdataat:1024; sid:90005;)
same pb with tcp rule:
  alert tcp any any -> any any (msg:"work2"; isdataat:1024; sid:90006;)
but this rules not match if udp/tcp packets have payload/data size 1024 ! 
With this patch (joigned diff), this rules work:
  +++ src/bounds.h    2009-01-25 22:33:19.000000000 +0100
  static INLINE int inBounds(const u_int8_t *start, const u_int8_t *end, const u_int8_t *p)
  {
  -    if(p >= start && p < end)
  +    if(p >= start && p <= end)

Please Credits to Crusoe Researches.
Happy Detect!
Rmkml
Crusoe-Researches.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort2832_inBounds_lessequalend.diff.gz
Type: application/octet-stream
Size: 237 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090125/36f54bd6/attachment.obj>


More information about the Snort-devel mailing list