[Snort-devel] Snort 2.9.7.0 enters into infinity loop getApplicationData

souber at ...3541... souber at ...3541...
Mon Nov 24 05:33:18 EST 2014


below stack could be helpful

(gdb) bt
#0  getApplicationData (scbptr=0x7fffc4d81600, protocol=30) at spp_session.c:2741
#1  0x00000000004e467d in get_file_session (ssnptr=<optimized out>) at file_service.c:237
#2  get_main_file_context (ssnptr=<optimized out>) at file_service.c:253
#3  get_file_processed_size (ssnptr=<optimized out>) at file_service.c:868
#4  get_file_position (pkt=<optimized out>) at file_service.c:1028
#5  get_file_position (pkt=<optimized out>) at file_service.c:1015
#6  0x000000000048688e in SnortHttpInspect (GlobalConf=0x16cb410, p=0x196f6d0) at snort_httpinspect.c:4376
#7  0x00000000004805c9 in HttpInspect (p=<optimized out>, context=<optimized out>) at spp_httpinspect.c:211
#8  0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>, policy_id=<optimized out>, p=0x196f6d0) at detect.c:136
#9  Preprocess (p=0x196f6d0) at detect.c:234
#10 0x00000000004b344f in _flush_to_seq (st=0x7fffeaf4ab50, bytes=<optimized out>, p=0xe91c60, dir=64, dp=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    sp=<error reading variable: Unhandled dwarf expression opcode 0xfa>, dip=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    sip=<error reading variable: Unhandled dwarf expression opcode 0xfa>, tcpssn=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at snort_stream_tcp.c:4336
#11 0x00000000004b9951 in StreamFlushTalker (p=p at ...3418...=0xe91c60, scb=<optimized out>) at snort_stream_tcp.c:4883
#12 0x0000000000490838 in StreamResponseFlushStream (p=0xe91c60) at spp_stream6.c:913
#13 StreamResponseFlushStream (p=0xe91c60) at spp_stream6.c:906
#14 0x0000000000492374 in freeSessionApplicationData (session=0x7fffc4d81600) at spp_session.c:1756
#15 0x00000000004be476 in ProcessTcp (scb=scb at ...3418...=0x7fffc4d81600, p=p at ...3418...=0xe91c60, tdb=tdb at ...3418...=0x7fffffffdc80, s5TcpPolicy=s5TcpPolicy at ...3418...=0x7fffe62b7010) at snort_stream_tcp.c:8629
#16 0x00000000004c0183 in StreamProcessTcp (p=p at ...3418...=0xe91c60, scb=scb at ...3418...=0x7fffc4d81600, s5TcpPolicy=0x7fffe62b7010, skey=skey at ...3418...=0x7fffffffdd10) at snort_stream_tcp.c:5639
#17 0x000000000049016a in StreamProcess (p=0xe91c60, context=<optimized out>) at spp_stream6.c:751
#18 0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>, policy_id=<optimized out>, p=0xe91c60) at detect.c:136
#19 Preprocess (p=p at ...3418...=0xe91c60) at detect.c:234
#20 0x00000000004317f8 in ProcessPacket (p=p at ...3418...=0xe91c60, pkthdr=pkthdr at ...3418...=0x7fffffffde20, pkt=pkt at ...3418...=0x7fffd0695676 "\252", ft=ft at ...3418...=0x0) at snort.c:1873
#21 0x0000000000433c20 in PacketCallback (user=<optimized out>, pkthdr=0x7fffffffde20, pkt=0x7fffd0695676 "\252") at snort.c:1717
#22 0x00000000004efef5 in pcap_process_loop ()
#23 0x00007ffff7fbdfbe in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#24 0x00000000004f038d in pcap_daq_acquire ()
#25 0x000000000045261c in DAQ_Acquire (max=max at ...3418...=0, callback=callback at ...3418...=0x433a80 <PacketCallback>, user=user at ...3418...=0x0) at sfdaq.c:543
#26 0x0000000000434d04 in PacketLoop () at snort.c:3268
#27 SnortMain (argc=11, argv=<optimized out>) at snort.c:920
#28 0x00007ffff6709ead in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#29 0x0000000000405aad in _start ()


> 
> Hello,
> I have a problem with newest version of snort :( For some reason main process enters into infinity loop in getApplicationData (spp_session.c).
> I cannot determine how it's possible :(
> 
> Facts:
> 1. appData is the same with appData->next
> 2. appData->protocol is 5 (PP_HTTINSPECT)
> 3. protocol variable in getApplicaionData is 30 (PP_FILE)
> 4. it's not only one loop, after set NULL in next snort stack in another endless loop
> 
> Any help? Any idea?
> Cheers,
> Jul.
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 






More information about the Snort-devel mailing list