[Snort-devel] [BUG][Stream5]: SIGSEGV in Stream5 TCP, TcpSessionCleanup at snort_stream5_tcp.c:4624

Russ Combs rcombs at ...402...
Sat Oct 8 09:04:12 EDT 2011

OK, I was able to reproduce that.  It happens because the .dmp file has eth2
packets and the .cap file has linux cooked packets.  Snort switches
"grinders" (the root decoder) when the pcap is changed and will not segfault
if you use either --pcap-reset or --dirty-pig.  Absent one of those options,
stream5 blows up flushing at shutdown a packet captured in the first file by
trying to re-decode it using the grinder for the second file.

I'll file a bug for this.  The fix will probably be to force --pcap-reset
behavior when the grinder changes for a new pcap.

BTW, adding --enable-sourcefire makes no difference in this case (segfault
w/or w/o).  It is mostly just shorthand for a bunch of other enables, but it
does set a flag which is used conditionally in a few places.

Thanks for all your help getting to the bottom of this.

On Fri, Oct 7, 2011 at 8:46 PM, <Joshua.Kinard at ...3108...> wrote:

> -----Original Message-----
> From: Russ Combs [mailto:rcombs at ...402...]
> Sent: Friday, October 07, 2011 8:29 AM
> Subject: Re: [Snort-devel] [BUG][Stream5]: SIGSEGV in Stream5 TCP,
> TcpSessionCleanup at snort_stream5_tcp.c:4624
> >> On Fri, Oct 7, 2011 at 7:20 AM, Russ Combs <rcombs at ...402...>
> wrote:
> >>
> >>      Hey Joshua,
> >>
> >>      Thanks for reporting this problem.  I am unable to reproduce it
> with my Ubuntu gcc 4.4.3.
> >
> > No segfault with Fedora gcc 4.5.1 either.
> >
> >       Can you also send your ./configure and command lines?
> >
> > I'm configuring via snort.conf and running with snort -c test.conf -r
> 2009-04-21-07-47-35.dmp  -A cmg.
> Hi Russ,
> Minus --prefix and some of the --with-* overrides (because I am building
> this as an unprivileged user and have compiled the needed libraries in
> my home folder), this is my configure line:
> ./configure --enable-ipv6 --enable-zlib --enable-gre --enable-mpls
> --enable-decoder-preprocessor-rules --enable-pthread --enable-debug-msgs
> --enable-debug --enable-react --enable-flexresp3 --enable-normalizer
> --enable-perfprofiling
> My command line is this:
> snort -c local.rules -k none -A console --pcap-dir <dir>/ -q
> On a whim, I just tested using -r <pcap>, and that does not trigger the
> SIGSEGV.  It does happen if you use --pcap-dir and have the referenced
> PCAP file in the target directory PLUS this SCTP sample from WireShark's
> Sample Captures:
> http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&targe
> t=sctp-addip.cap
> Also, using --enable-sourcefire causes this SIGSEGV to disappear.  What
> is that configure flag doing, exactly?
> Thanks!,
> --J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111008/89c3d985/attachment.html>

More information about the Snort-devel mailing list